Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Phishing Campaigns. Show all posts
Webhook Exploitation
Automation Security Cyber Threat Intelligence Cyer Threats Device Fingerprinting malware malware delivery N8n Webhook Abuse Phishing Campaigns RMM Abuse Webhook Exploitation

n8n Webhooks Under Threat as Attackers Orchestrate Malware Delivery via Phishing


 

A security researcher has identified a critical flaw in the open-source workflow orchestration platform n8n, which is increasingly embedded in enterprise and AI-driven operations, that highlights the fragility of modern automation ecosystems. 

The vulnerability, CVE-2026-21858, has been assigned the highest severity rating and exposes tens of thousands of deployments to potential compromise because of a subtle yet dangerous "content-type confusion" vulnerability. 

A Cyera study found that this flaw enables attackers to bypass the intended automation controls altogether, effectively turning trusted workflows into unprotected execution paths. In addition to serving as a connector between enterprise applications and advanced AI models such as GPT-4 and Claude, platforms such as n8n and Zapier have also become increasingly appealing targets due to their increasing capacity to orchestrate business logic. These engines were previously designed for integrating tools like Slack, Gmail, and Google Sheets, but may now find themselves being utilized for coordinated malicious campaigns, including large-scale phishing operations and automated distribution of malware. 

N8n's primary function is to interconnect web applications and services through API-driven logic, which allows companies to orchestrate complex processes across platforms such as Slack, GitHub, and Google Sheets. The community-licensed edition of the software enables self-hosted deployment, whereas the cloud-based version can extend these capabilities further by integrating AI-driven features that will automatically interact with external data sources and carry out tasks using agent-based models. 

With the platform's accessibility especially the ability to create developer accounts without any initial investment users have experienced a significant reduction in entry barriers. The platform automatically provisions unique subdomains within its cloud environment for deploying and accessing workflows. 

Although this model is similar to other AI-assisted development ecosystems in terms of convenience, it also introduces an attack surface that threat actors have demonstrated proficiency at exploiting. In adjacent platforms, adversaries have already developed similar patterns, in which they have utilized legitimate cloud-hosted environments to create phishing infrastructure. 

As part of n8n's architecture, webhooks are a crucial component, which allow workflows to be dynamically initiated upon receiving external data in a timely manner. This webhook endpoint is effectively a passive listener that has been assigned unique URLs that enable it to ingest and process inbound requests in real-time. 

Cisco Talos researchers have observed sustained abuse of these publicly accessible endpoints since October 2025, which has drawn scrutiny of this mechanism. A powerful technique used by attackers to embed malicious logic within otherwise legitimate looking infrastructure is the use of webhook URLs hosted on trusted n8n subdomains. This facilitates phishing campaigns and the distribution of downstream malware. 

As webhooks are essentially reverse APIs where applications can receive and process incoming data including dynamically fetched HTML content these features further compound the risk, because they enable adversaries to exploit automation workflows to execute unauthorized actions under the guise of legitimate service interactions. 

Based on these architectural exposures, threat intelligence analysis indicates a sustained abuse of n8n's webhook functionality over a period of approximately one year, from October 2025 until March 2026, that was highly coordinated. As part of phishing campaigns, malicious actors have consistently utilized these endpoints as both delivery channels for malware and as mechanisms for device reconnaissance within phishing campaigns. 

An attacker has effectively bypassed conventional security controls based on domain reputation by embedding webhook URLs within email content in order to route victims through trusted n8n-hosted infrastructure. As a consequence of this tactic, an increased volume of emails containing these links has been observed. Telemetry indicates a dramatic increase. 

Attempts to evade automated detection have been made by incorporating CAPTCHA-gated landing pages, which obscure payload delivery, and ultimately deploying modified remote access tools, including repackaged versions of Datto Remote Monitoring Management and ITarian Endpoint Management. Further, the inclusion of tracking pixels within phishing emails allows attackers to tailor subsequent stages of intrusion more precisely as granular device fingerprinting can be accomplished. 

As a result of this activity, broader implications beyond isolated phishing incidents are evident, as legitimate automation platforms are being operationalized as covert attack infrastructure. Using trusted domains to conceal malicious workflows, adversaries significantly complicate both detection and response efforts, rendering traditional blocklist defenses largely ineffective when they conceal malicious workflows behind trusted domains. 

Depending on the severity, the impact may vary from an initial compromise through credential harvesting to persistent unauthorized access enabled by remote management tools. Because the abuse occurs as a result of intended platform functionality and not a direct software flaw, mitigation requires a reevaluation of defensive strategies. 

Behavioral analysis should be prioritized over static indicators by security teams, anomalous webhook activity should be monitored closely, and workflow automation should be governed more strictly. Enhanced email filtering, combined with user awareness initiatives focused on evolving phishing techniques, remains essential, especially as attackers continue to refine methods that blend seamlessly into legitimate operational environments. 

On the basis of these findings, researchers have demonstrated how threat actors have rapidly adapted n8n webhook capabilities to scale both malware delivery and reconnaissance efforts. As of early 2026, phishing emails containing n8n webhook URLs had skyrocketed dramatically in intensity, reflecting a sharp rise in campaign intensity. 

In one observed operation, attackers posed as sharing documents and lured recipients to interact with embedded webhook links through emails masquerading as shared documents. In response to engagement, victims were redirected to intermediate pages containing CAPTCHA challenges, a tactic intended to evade automated security analysis.

Successful interaction resulted in the silent retrieval of malicious payloads from external infrastructure, and the execution chain remained visually linked to n8n as a trusted domain. Additionally, client-side scripting is used to obfuscate the download so that browsers interpret it to be originating from an appropriate source, reducing suspicion and bypassing conventional filtering.

A key component of these campaigns is the deployment of executable files or MSI installers which deliver modified versions of popular remote monitoring and management programs. By establishing persistent access via command-and-control communication channels, attackers have been able to establish persistent access. 

Parallel to this, phishing emails contain webhook-hosted tracking pixels, thereby posing a secondary vector of abuse. As soon as an email is opened, these invisible elements automatically initiate outbound requests, transmitting identifying parameters that provide adversaries with the ability to profile targets in great detail and refine subsequent attack phases. 

Collectively, these techniques illustrate the trend of repurposing low-code automation platforms into scalable attack frameworks for various types of attacks. It is now being exploited by malicious parties to streamline their malicious operations in the same flexible and integrated manner that underpins their enterprise value, reinforcing the importance of reassessing trust assumptions and implementing controls that prevent these platforms from inadvertently becoming conduits for compromise. Because of these developments, the focus is now shifting toward strengthening oversight around the automation ecosystems, which are now critical extensions of enterprise infrastructures.

Security strategies need to develop to account for misuse of legitimate services, emphasizing contextual analysis, tighter access governance, and continuous monitoring of workflow behaviour. It is imperative that resilience is built upon the capability of not only blocking known indicators, but also of detecting subtle deviations in the way these platforms are being used as threat actors integrate into trusted environments. 

To maintain the integrity of automation systems that were never designed to be adversarial in nature, a disciplined approach to automation security, combined with informed user vigilance, will be essential.
Read more »
social engineering attacks
Advanced Persistent Threats Charming Kitten cyber espionage cybersecurity risks Insider Threats Iranian Cyber Threats malware Phishing Campaigns social engineering attacks

Old Espionage Techniques Power New Cyber Attacks by Charming Kitten Hackers


 

As zero-day exploits and increasingly sophisticated malware become a norm, a quieter and more calculated threat is beginning to gain momentum - one which relies less on breaking systems than it does on destroying trust. 

In recent months, there have been significant developments in Iran-linked cyber activities, where groups such as Charming Kitten are abandoning conventional vulnerability-driven attacks for deception, psychological manipulation, and carefully orchestrated human interaction. 

Instead of forcing entry through technical loopholes, these actors embed themselves within the digital lives of their targets, posing as credible contacts and cultivating familiarity over time. As a platform-agnostic organization, their operations are both available on macOS and Windows, demonstrating a commitment to maximizing access over exploitative efforts. 

While this occurs, emerging concerns regarding insider-driven data exposure, including allegations of covert methods such as photographing sensitive screens to bypass monitoring systems, underscore a broader reality indicating that the most critical vulnerabilities are no longer associated with code, but with human behavior.

These operations are being carried out by Charming Kitten, a threat group widely linked to Iran's security establishment that has targeted government officials, academic researchers, and corporate employees since its establishment in 2010. As a primary attack vector, the group uses identity deception, impersonating known contacts through convincingly engineered communication to obtain credentials or launch malware, rather than exploiting software flaws or exploit chains. 

As an intentional alignment with traditional intelligence tradecraft, the methodology provides deeper access than purely technical intrusion techniques by cultivating trust and controlling interaction. For this reason, operatives construct layered digital personas based on professional credibility or social engagement as part of this effort and establish rapport with target audiences before executing phishing attacks or delivering payloads.

Using a human-centered approach, it is consistently effective across both Apple and Microsoft environments without relying on platform-specific vulnerabilities, so its effectiveness is consistent across both environments. 

Additionally, insider risk concerns have been intensified in parallel, as investigations indicate the possibility of individuals inside major technology organizations facilitating data exposure through low detection techniques, including the capture of sensitive information physically, thus circumventing conventional cybersecurity controls and reinforcing the complexity of modern threat environments. 

The threat landscape has begun to reflect a more sophisticated approach to visibility and restraint as a result of these targeted intrusion campaigns, in addition to a broader pattern of Iranian-related cyber activity.

In many cases, the activity observed at present has a low level of immediate operational severity, ranging from website defacements and disruptions of distributed denial-of-service to phishing waves, coordinated influence messaging, and reconnaissance of externally exposed infrastructures. These actions, however, are rarely isolated or symbolic; historically, they have served as early indicators of intent, which have enabled the testing of defenses, signaling capabilities, and forming of the operational environment in advance of sustained or covert engagements. 

In extensive and highly adaptable ecosystem is responsible for enabling this activity, which consists of state-aligned advanced persistent threat groups, semi-autonomous proxies, hacktivist fronts, and loosely aligned external collectives. While these actors usually lack overt coordination during periods of geopolitical tension, they are often aligned in their targeting priorities and narrative framing, resulting in disruptive noise and intelligence-driven precision. 

Developing regional dynamics provides the opportunity for this structure to be scalable and implausibly deniable for escalation, particularly in the context of entities in regions aligned with U.S. or Israeli interests. In sectors such as critical infrastructure, energy, telecommunications, logistics, and public administration, high value targets are encountered.

It is important to note that Iran's cyber strategy does not adhere to a single, publicly defined doctrine, but rather represents a pragmatic extension of its broader asymmetric security approach. During the last decade, cyber capabilities have evolved into multipurpose instruments that can be used for intelligence collection, domestic oversight, retaliatory signaling, as well as regional influence. 

The concept of cyber activity is less of a distinct domain within this framework as it is an integral part of statecraft that is designed to operate beneath the threshold of conventional conflict while delivering strategic outcomes. 

Through the surveillance and disruption of opposition networks, it can be applied to strengthen internal regime stability, extract political and economic advantage, and project coercive influence by imposing calculated costs on adversaries while maintaining deniability to achieve political and economic advantage. 

Increasingly, modern cyber operations are being characterized by a convergence of intent and capability which underscores a threat model that incorporates technical intrusions, psychological manipulation, and geopolitical signaling as integral components. These methods are reminiscent of intelligence practices historically associated with Cold War espionage, when cultivating access through trust led to more lasting results than purely technical advancement. 

The current threat landscape operationalizes this principle through the creation of highly curated digital identities that are frequently designed to appear credible or socially engaging. By establishing rapport with their target, adversaries are able to harvest credentials or deliver malware. 

The human-centered intrusion model is independent of platform-specific vulnerabilities and has demonstrated sustained effectiveness across both the Apple and Microsoft ecosystems Nevertheless, parallel concerns have emerged regarding insider risk. 

Investigations have shown that individuals embedded within technology environments can facilitate data exposure through deliberately low-tech methods, such as taking photographs directly from screens, to circumvent conventional monitoring methods. It is a common statement among security practitioners that trusted access remains one of the most difficult vectors to combat, often bypassing even mature security architectures. 

According to analysts, these patterns are not isolated incidents but are part of an integrated intelligence framework integrating cyber operations with human networks, surveillance, and strategic recruitment pipelines. 

In accordance with former Iranian officials, Iran has developed a multi-layered operational model encompassing online intelligence collection, asset cultivation, and procurement mechanisms, which together increase Iran's reach and resilience. It is widely recognized that Iran is a highly sophisticated adversary with the potential to blend psychological operations with technical intrusion, despite historically being overshadowed by larger cyber powers. 

Moreover, the same operational networks have been used to monitor dissident communities beyond national borders, indicating a dual-purpose strategy extending beyond conventional state competition into internal control mechanisms as well. In the context of increasing blurring boundaries between external intelligence gathering and domestic influence operations, attribution and intent assessment become more difficult. 

Several high-profile cases involving alleged insider cooperation further underscore the enduring threat that is posed by human-mediated compromise. Mitigation therefore requires a rigorous, layered security posture that addresses technical as well as behavioral vulnerabilities. Prior to sharing sensitive information, it remains imperative to verify digital identities, particularly in environments susceptible to targeted social engineering schemes. 

By combining strong, unique credentials with multi-factor authentication, it is significantly less likely that a compromised account will occur, while regular updating of antivirus software and endpoint protection solutions provides a baseline level of security.

As part of active network defense, such as properly configured firewalls, unauthorized access pathways can be further limited, and the use of reputable malware detection and remediation tools makes it possible to identify and contain suspicious activity early. These measures reinforce the principle that effective cybersecurity no longer involves merely technological controls, but rather a combination of user awareness, operational vigilance, and adaptive defense strategies.

Increasingly, threat actors are implementing operations that blur the line between human intelligence and cyber intrusion, requiring organizations to increase their focus on resilience beyond perimeter defenses. 

To detect subtle indicators of compromise that do not evade conventional controls, strategic investments in behavioral monitoring, identity governance, and continuous threat intelligence integration will be essential. It is clear that preparedness has evolved from being able to detect and avoid every breach, but rather from being able to anticipate, detect, and respond with precision to adversaries that utilize both systems and human trust to carry out their attacks.
Read more »
Phishing Campaigns
Callback Phishing Cloud Security Threats Cyber Attacks Cyber Threat Intelligence Email Authentication Bypass Enterprise Security Risks Microsoft Azure Monitor Phishing Campaigns

Cybercriminals Misuse Microsoft Azure Monitor Alerts for Phishing Operations


Using trusted enterprise monitoring systems as a tool for credentialing their deception, threat actors have begun to make a subtle but highly effective shift in phishing tradecraft. Through the use of Microsoft Azure Monitor alerting mechanisms, attackers are orchestrating callback phishing campaigns that blur the line between legitimate security communication and malicious activity. 


Organizations commonly rely upon these alerts to monitor system health and security events in real time, but they are now being repurposed to convey a false sense of urgency, encouraging recipients to initiate contact with attacker-controlled telephone numbers. 

By using messages originating from authentic Microsoft infrastructure, the tactic represents a significant improvement over conventional phishing, thereby evading many of the technical and psychological safeguards users have been trained to rely on. 

Microsoft Azure Monitor is now one of a growing number of legitimate enterprise tools increasingly repurposed to facilitate phishing operations, joining a growing roster of legitimate enterprise tools. The platform is widely deployed to aggregate telemetry across applications and infrastructure, which assists organizations in tracking performance metrics, uncovering anomalies, and responding to operational disruptions in real time. The adversaries are now exploiting precisely this trusted functionality. 

The service is reporting that users are receiving alert emails directing them to purported "suspicious charges" or irregular "invoice activity" based upon recent activity. In order to ensure that such notifications merge seamlessly into routine administrative workflows, they align closely with the types of events that are flagged by the platform, making it extremely difficult to distinguish them from real alerts and increasing the likelihood that users will engage with them. 

In the last several weeks, a noticeable increase in such activity has been observed, with multiple individuals reporting receiving alert notifications that alerts were received warning of suspicious charges or anomalous billing events connected to their accounts.

To strengthen the authenticity of these messages, they often incorporate fabricated transaction metadata, such as merchant identifiers, transaction IDs, timestamps, and dollar amounts, to mirror legitimate security advisories. Upon receiving the message, recipients are urged to immediately act under the pretext of fraud prevention, typically by contacting a designated support number allegedly relating to the account security department. 

In order to prompt quick response by users, the language employed is deliberately urgent yet procedural, implying risks of account suspension or additional financial exposure. Unlike more conventional phishing attempts, this campaign is distinguished not only by the narrative sophistication it contains, but also by the delivery mechanism it employs. 

Alerts are sent directly through Microsoft Azure Monitor using legitimate Microsoft-associated email channels, including standard no-reply addresses, rather than through spoofed domains or lookalike infrastructure. These communications, as a result, successfully satisfy email authentication protocols such as SPF, DKIM, and DMARC, which enable them to pass through secure email gateways without raising typical red flags. 

By combining technical legitimacy and social engineering precision, this attack is elevated significantly in credibility, complicating both automated detection and user-driven scrutiny of the attack. The campaign reveals a deliberate use of Microsoft Azure Monitor's configurability as a basis for generating alerts based on predefined conditions across applications, infrastructure, and billing workflows. 

Users can create alert rules related to routine operational events, such as the confirmation of orders, the processing of payments, and the creation of invoices, in order to create granular alert rules. As a result of this flexibility, threat actors are embedding malicious content directly within alert metadata, primarily in custom description fields, which are normally used as administrative context fields. 

After establishing these rules, the alerts will be triggered programmatically and routed through distribution lists controlled by the attacker, allowing broad dissemination while maintaining the appearance that the system has generated the alert. 

In addition to benign-looking system events such as resource utilization spikes or storage constraints, the content of these notifications is deliberately varied, incorporating a variety of financial-oriented messages referencing successful fund transfers or billing updates in a format aligned with the standard Microsoft alert template format.

A deliberate pivot toward callback-based social engineering is the cornerstone of this operation, which shifts the point of compromise from an inbox to a controlled voice interaction, shifting the point of compromise to the telephone.

By instructing recipients to contact a designated support number instead of embedding malicious links, the alerts circumvent traditional URL-based detection mechanisms by preventing recipients from contacting malicious links. In their messaging, immediacy is consistently emphasized, citing potential account suspensions, financial penalties, or pending transaction verifications as a means to compel immediate response.

Researchers who have observed similar campaigns note that the victim is often guided through a sequence of steps designed to escalate access, from revealing credentials and authorizing payments to installing remote access utilities. 

Ultimately, such interactions can facilitate deeper intrusions into corporate environments, resulting in the exposure to persistent unauthorized access and system compromise that extends beyond initial fraud. Additionally, the campaign's operational scope demonstrates its calculated design, as attackers mimic routine billing notifications generated within enterprise environments using a variety of alert categories, primarily those related to invoicing and payments.

When alerts are aligned with familiar financial processes, they are more likely to evade suspicion during initial evaluation when they have a thematic structure. Through consistent insertion of urgency-driven language in the email, recipients are compelled to contact the recipients using the embedded phone numbers in an effort to resolve time-sensitive account discrepancies. 

This interaction presents multiple avenues for exploitation, including credential harvesting, fraudulent transaction authorization, and the deployment of remote access tools, which can further establish attacker footholds within the targeted system. 

A defensive approach to billing that involves alerts originating from platforms such as Microsoft Azure Monitor or associated Microsoft services should be viewed with heightened scrutiny, especially if the alerts deviate from standard operational patterns by containing direct support contact instructions or urgent financial remediation requests.

A security practitioner emphasizes the importance of independently verifying the legitimacy of such communications before taking action. As the alerts are enterprise-centric, there is a strong probability that the activity is not limited to isolated financial fraud, but may also serve as an initial point of entry for broader intrusion chains targeting corporate networks, in addition to isolated financial fraud. 

Considering these findings, organizations should reevaluate the implicit trust placed in system-generated communications, specifically those that originate from widely adopted cloud platforms, such as Microsoft Azure Monitor.

Teams responsible for security should focus on implementing contextual alert validation mechanisms, educating users about callback-based attacks, and implementing more restrictive rules for creating and distributing alerts within cloud environments. 

The establishment of verification protocols requiring users to confirm the legitimacy of billing or security-related notifications through official channels rather than relying on embedded contact information is equally important.

It is increasingly evident that adversaries will continue to exploit the convergence of trusted infrastructure and human response behaviors as well as the ability of an organization to critically assess its own operational signals in order to remain resilient.
Read more »
XWorm malware
data theft malware malware Phishing Campaigns ransomware plugins XWorm 6.5 XWorm backdoor XWorm malware

New XWorm Malware Variants Emerge in Phishing Campaigns with Advanced Plugin Capabilities

 

New variants of the XWorm backdoor malware are being actively spread through phishing campaigns after its original creator, known as XCoder, abandoned the project last year.

The latest editions — XWorm 6.0, 6.4, and 6.5 — have been adopted by multiple cybercriminal groups. These updated versions include plugin support that enables a wide range of malicious activities, from data theft and remote system access to file encryption and decryption.

The most recent release developed by XCoder was version 5.6, which contained a remote code execution (RCE) vulnerability. The newly distributed variants reportedly fix that flaw while introducing enhanced attack features.

First detected in 2022, XWorm gained notoriety for its modular structure and broad feature set. It’s primarily used to harvest sensitive data such as passwords, cryptocurrency wallets, and financial information. The malware can also record keystrokes, extract clipboard data, perform DDoS attacks, and deliver other malicious payloads.

After XCoder deleted their Telegram channels, cracked versions of the malware began circulating widely, with various threat actors distributing them. In fact, one campaign even used XWorm itself as bait to target less-experienced hackers—infecting over 18,000 systems globally, primarily across Russia, the U.S., India, Ukraine, and Turkey.

A new version of XWorm appeared on a hacker forum, advertised by a user named XCoderTools, who offered access for a $500 lifetime subscription. Although it’s unclear if this is the same developer, the user claimed that the new versions fixed the RCE issue and introduced multiple updates.

Cybersecurity researchers at Trellix have observed a rise in XWorm samples on VirusTotal since June, suggesting the malware’s increasing popularity among threat actors.

In one campaign, XWorm was distributed using malicious JavaScript that executed a PowerShell script capable of bypassing Microsoft’s Antimalware Scan Interface (AMSI) to install the backdoor.

According to Trellix’s September report, “the XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks.” While .LNK files and email attachments remain common entry points, newer variants disguise themselves as legitimate executables — even mimicking applications like Discord.

“This marks a shift towards combining social engineering with technical attack vectors for greater effectiveness,” Trellix explained.

Further analyses revealed campaigns using AI-themed phishing lures and a modified version of ScreenConnect, as well as cases where malicious Excel files (.XLAM) embedded with shellcode delivered the payload.

Trellix researchers uncovered over 35 plugins associated with the latest XWorm versions, significantly expanding its functions — including a ransomware component.

The Ransomware.dll plugin allows attackers to lock victims’ files, demand payment, and customize ransom notes, wallpaper messages, and Bitcoin wallet details. The encryption avoids system-critical directories, focusing on user folders like %USERPROFILE% and Documents. Encrypted files are appended with the .ENC extension, while a ransom instruction HTML file is dropped on the desktop.

Code analysis revealed similarities between XWorm’s ransomware module and the NoCry ransomware from 2021, both using the same encryption methods (AES-CBC with 4096-byte blocks).

Beyond ransomware, other identified modules include:

  • RemoteDesktop.dll – Enables full remote control sessions.
  • Stealer.dll, Chromium.dll, Recovery.dll – Extract credentials and application data.
  • FileManager.dll – Grants file system access and manipulation.
  • Shell.dll – Executes commands through hidden CMD processes.
  • Webcam.dll – Records or verifies the infected system through webcam access.
  • TCPConnections.dll & ActiveWindows.dll – Send live system and network data to command servers.

With modules designed to steal data from more than 35 browsers, email clients, and crypto wallets, the malware represents a serious risk to both individuals and organizations.

Trellix recommends a multi-layered cybersecurity defense, including EDR solutions for detecting malicious behavior, and email/web gateways to block droppers. Network monitoring tools can also help identify communications with command-and-control (C2) servers and prevent data exfiltration.
Read more »
Phishing Campaigns
AI Cloud Cyber Security GenAI Internet Microsoft Phishing Campaigns

Microsoft Stops Phishing Scam Which Used Gen-AI Codes to Fool Victims


AI: Boon or Curse?

AI code is in use across sectors for variety of tasks, particularly cybersecurity, and both threat actors and security teams have turned to LLMs for supporting their work. 

Security experts use AI to track and address to threats at scale as hackers are experimenting with AI to make phishing traps, create obfuscated codes, and make spoofed malicious payloads. 

Microsoft Threat Intelligence recently found and stopped a phishing campaign that allegedly used AI-generated code to cover payload within an SVG file. 

About the campaign 

The campaign used a small business email account to send self addressed mails with actual victims coveted in BCC fields, and the attachment looked like a PDF but consisted SVG script content. 

The SVG file consisted hidden elements that made it look like an original business dashboard, while a secretly embedded script changed business words into code that exposed a secret payload. Once opened, the file redirects users to a CAPTCHA gate, a standard social engineering tactical that leads to a scanned sign in page used to steal credentials. 

The hidden process combined business words and formulaic code patterns instead of cryptographic techniques. 

Security Copilot studied the file and listed markers in lines with LLM output. These things made the code look fancy on the surface, however, it made the experts think it was AI generated. 

Combating the threat

The experts used AI powered tools in Microsoft Defender for Office 375 to club together hints that were difficult for hackers to push under the rug. 

The AI tool flagged the rare self-addressed email trend , the unusual SVG file hidden as a PDF, the redirecting to a famous phishing site, the covert code within the file, and the detection tactics deployed on the phishing page. 

The incident was contained, and blocked without much effort, mainly targeting US based organizations, Microsoft, however, said that the attack show how threat actors are aggressively toying with AI to make believable tracks and sophisticated payloads.

Read more »
SpamGPT
AI phishing tool Cyber Fraud cybercrime AI email security Phishing Campaigns ransomware attacks SpamGPT

SpamGPT: AI-Powered Phishing Tool Puts Cybersecurity at Risk

 

While most people have heard of ChatGPT, a new threat called SpamGPT is now making headlines. Security researchers at Varonis have discovered that this professional-grade email campaign tool is designed specifically for cybercriminals. The platform, they report, offers “all the conveniences a Fortune 500 marketer might expect, but adapted for cybercrime.”

SpamGPT’s dashboard closely mimics legitimate email marketing software, allowing attackers to plan, schedule, and track large-scale spam and phishing campaigns with minimal effort. By embedding AI-powered features, the tool can craft realistic phishing emails, optimize subject lines, and fine-tune scams—making it accessible even to criminals with little technical background.

"SpamGPT is essentially a CRM for cybercriminals, automating phishing at scale, personalizing attacks with stolen data, and optimizing conversion rates much like a seasoned marketer would. It's also a chilling reminder that threat actors are embracing AI tools just as fast as defenders are," explained Rob Sobers, CMO at Varonis.

The toolkit includes built-in modules for SMTP/IMAP configuration, inbox monitoring, and deliverability testing. Attackers can upload stolen SMTP credentials, verify them through an integrated checker, and rotate multiple servers to avoid detection. IMAP monitoring further allows criminals to track replies, bounces, and email placement.

A real-time inbox check feature sends test emails and confirms whether they land in inboxes or spam folders. Combined with campaign analytics, SpamGPT functions much like a legitimate customer relationship management (CRM) platform—but is weaponized for phishing, ransomware, and other cyberattacks.

Marketed as a “spam-as-a-service” solution, SpamGPT lowers the skill barrier for cybercrime. Tutorials such as “SMTP cracking mastery” guide users in obtaining or hacking servers, while custom header options make it easier to spoof trusted brands or domains. This means even inexperienced attackers can bypass common email authentication methods and run large-scale campaigns.

Experts warn that the rise of SpamGPT could trigger a surge in phishing, ransomware, and malware attacks. Its ability to slip past spam filters and disguise malicious payloads as legitimate correspondence makes it especially dangerous for both individuals and businesses.

To counter threats like SpamGPT, cybersecurity experts recommend:

  • Enforcing DMARC, SPF, and DKIM to block spoofed emails.

  • Deploying AI-driven phishing detection tools.

  • Maintaining regular backups and malware removal protocols.

  • Implementing multi-factor authentication (MFA) across all accounts.

  • Providing ongoing phishing awareness training for employees.

  • Using network segmentation and least-privilege access controls.

  • Keeping software and security patches updated.

  • Testing and refining incident response plans for rapid recovery.

SpamGPT demonstrates how cybercriminals are harnessing AI to evolve their tactics. As defenses improve, attackers are adapting just as quickly—making vigilance and layered security strategies more critical than ever.

Read more »
State-Sponsored Espionage
AI Misuse Cybersecurity Data Theft Deepfake Attacks Generative AI Kimsuky malware North Korean Hackers Phishing Campaigns State-Sponsored Espionage

North Korean Threat Actors Leverage ChatGPT in Deepfake Identity Scheme


North Korean hackers Kimsuky are using ChatGPT to create convincing deepfake South Korean military identification cards in a troubling instance of how artificial intelligence can be weaponised in state-backed cyber warfare, indicating that artificial intelligence is becoming increasingly useful in cyber warfare. 

As part of their cyber-espionage campaign, the group used falsified documents embedded in phishing emails targeting defence institutions and individuals, adding an additional layer of credibility to their espionage activities. 

A series of attacks aimed at deceiving recipients, delivering malicious software, and exfiltrating sensitive data were made more effective by the use of AI-generated IDs. Security monitors have categorised this incident as an AI-related hazard, indicating that by using ChatGPT for the wrong purpose, the breach of confidential information and the violation of personal rights directly caused harm. 

Using generative AI is becoming increasingly common in sophisticated state-sponsored operations. The case highlights the growing concerns about the use of generative AI in sophisticated operations. As a result of the combination of deepfake technology and phishing tactics, these attacks are harder to detect and much more damaging. 

Palo Alto Networks' Unit 42 has observed a disturbing increase in the use of real-time deepfakes for job interviews, in which candidates disguise their true identities from potential employers using this technology. In their view, the deepfake tactic is alarmingly accessible because it can be done in a matter of hours, with just minimal technical know-how, and with inexpensive consumer-grade hardware, so it is alarmingly accessible and easy to implement. 

The investigation was prompted by a report that was published in the Pragmatic Engineer newsletter that described how two fake applicants who were almost hired by a Polish artificial intelligence company raised suspicions that the candidates were being controlled by the same individual as deepfake personas. 

As a result of Unit 42’s analysis, these practices represent a logical progression from a long-standing North Korean cyber threat scheme, one in which North Korean IT operatives attempt to infiltrate organisations under false pretences, a strategy well documented in previous cyber threat reports. 

It has been repeatedly alleged that the hacking group known as Kimsuky, which operated under the direction of the North Korean state, was involved in espionage operations against South Korean targets for many years. In a 2020 advisory issued by the U.S. Department of Homeland Security, it was suggested that this group might be responsible for obtaining global intelligence on Pyongyang's behalf. 

Recent research from a South Korean security firm called Genians illustrates how artificial intelligence is increasingly augmented into such operations. There was a report published in July about North Korean actors manipulating ChatGPT to create fake ID cards, while further experiments revealed that simple prompt adjustments could be made to override the platform's built-in limitations by North Korean actors. 

 It follows a pattern that a lot of people have experienced in the past: Anthropic disclosed in August that its Claude Code software was misused by North Korean operatives to create sophisticated fake personas, pass coding assessments, and secure remote positions at multinational companies. 

In February, OpenAI confirmed that it had suspended accounts tied to North Korea for generating fraudulent resumes, cover letters, and social media content intended to assist with recruitment efforts. These activities, according to Genians director Mun Chong-hyun, highlight the growing role AI has in the development and execution of cyber operations at many stages, from the creation of attack scenarios, the development of malware, as well as the impersonation of recruiters and targets. 

A phishing campaign impersonating an official South Korean military account (.mil.kr) has been launched in an attempt to compromise journalists, researchers, and human rights activists within this latest campaign. To date, it has been unclear how extensive the breach was or to what extent the hackers prevented it. 

Officially, the United States assert that such cyber activities are a part of a larger North Korea strategy, along with cryptocurrency theft and IT contracting schemes, that seeks to provide intelligence as well as generate revenue to circumvent sanctions and fund the nuclear weapons program of the country. 

According to Washington and its allies, Kimsuky, also known as APT43, a North Korean state-backed cyber unit that is suspected of being responsible for the July campaign, was already sanctioned by Washington and its allies for its role in promoting Pyongyang's foreign policy and sanction evasion. 

It was reported by researchers at South Korean cybersecurity firm Genians that the group used ChatGPT to create samples of government and military identification cards, which they then incorporated into phishing emails disguised as official correspondence from a South Korean defense agency that managed ID services, which was then used as phishing emails. 

Besides delivering a fraudulent ID card with these messages, they also delivered malware designed to steal data as well as allow remote access to compromised systems. It has been confirmed by data analysis that these counterfeit IDs were created using ChatGPT, despite the tool's safeguards against replicating government documents, indicating that the attackers misinterpreted the prompts by presenting them as mock-up designs. 

There is no doubt that Kimsuky has introduced deepfake technology into its operations in such a way that this is a clear indication that this is a significant step toward making convincing forgeries easier by using generative AI, which significantly lowers the barrier to creating them. 

It is known that Kimsuky has been active since at least 2012, with a focus on government officials, academics, think tanks, journalists, and activists in South Korea, Japan, the United States, Europe, and Russia, as well as those affected by North Korea's policy and human rights issues. 

As research has shown, the regime is highly reliant on artificial intelligence to create fake summaries and online personas. This enables North Korean IT operatives to secure overseas employment as well as perform technical tasks once they are embedded. There is no doubt that such operatives are using a variety of deceptive practices to obscure their origins and evade detection, including artificial intelligence-powered identity fabrication and collaboration with foreign intermediaries. 

The South Korean foreign ministry has endorsed that claim. It is becoming more and more evident that generative AI is increasingly being used in cyber-espionage, which poses a major challenge for global cybersecurity frameworks: assisting citizens in identifying and protecting themselves against threats not solely based on technical sophistication but based on trust. 

Although platforms like ChatGPT and other large language models may have guardrails in place to protect them from attacks, experts warn that adversaries will continue to seek out weaknesses in the systems and adapt their tactics through prompt manipulation, social engineering, and deepfake augmentation in an effort to defeat the system. 

Kimsuky is an excellent example of how disruptive technologies such as artificial intelligence and cybercrime erode traditional detection methods, as counterfeit identities, forged credentials, and distorted personas blur the line between legitimate interaction and malicious deception, as a result of artificial intelligence and cybercrime. 

The security experts are urging the public to take action by using a multi-layered approach that combines AI-driven detection tools, robust digital identity verification, cross-border intelligence sharing, and better awareness within targeted sectors such as defence, academia, and human rights industries. 

Developing AI technologies together with governments and private enterprises will be critical to ensuring they are harnessed responsibly while minimising misuse of these technologies. It is clear from this campaign that as adversaries continue to use artificial intelligence to sharpen their attacks, defenders must adapt just as fast to maintain trust, privacy, and global security as they do against adversaries.
Read more »
SharePoint
Credential Theft Cyber Fraud Cyber Threats Microsoft 365 login Microsoft visio Phishing Attack Phishing Campaigns SharePoint

New Two-Step Phishing Attack Exploits Microsoft Visio and SharePoint

 

A novel two-step phishing strategy is targeting Microsoft Visio files (.vsdx) and SharePoint, signaling a new trend in cyber deception, according to experts. Researchers at Perception Point have noted a significant rise in attacks leveraging these previously uncommon .vsdx files.

These files act as delivery tools, directing victims to phishing pages that replicate Microsoft 365 login portals, aiming to steal user credentials.

The two-step phishing attacks employ layered techniques to evade detection. Rather than delivering harmful content directly, these campaigns use trusted platforms like Microsoft SharePoint to host files that appear legitimate. Attackers embed URLs within Visio files, which redirect victims to malicious websites when clicked, bypassing traditional email security systems.

Microsoft Visio, a popular tool for professional diagram creation, has now become a phishing vector. Cybercriminals send emails with Visio files from compromised accounts, often mimicking urgent business communications such as proposals or purchase orders. This tactic encourages recipients to act quickly, increasing the likelihood of success.

Since the emails come from stolen accounts, they often pass authentication checks and evade recipient security filters. In some cases, attackers include .eml files within the emails, embedding additional malicious URLs linked to SharePoint-hosted files.

The Visio files typically contain a clickable button labeled "View Document." Victims are instructed to press the Ctrl key while clicking the button to access the malicious URL. This step, requiring manual interaction, bypasses automated security systems that cannot simulate such behaviors.

Perception Point advises organizations to strengthen their defenses against sophisticated phishing campaigns by adopting advanced threat detection solutions. Suggested measures include:

  • Dynamic URL analysis to identify harmful links.
  • Object detection models to flag suspicious files.
  • Enhanced authentication mechanisms to reduce the impact of compromised accounts.
Read more »
STR RAT
Credential Theft cybersecurity threat Java Malware keylogging Malicious Payloads malware Phishing Campaigns Remote Access Trojan STR RAT

STR RAT: A Persistent Remote Access Trojan

 

The STR RAT is a remote access trojan (RAT) written in Java, first detected in 2020. Like other RATs, it allows threat actors full control of an infected machine. STR RAT is capable of keylogging, credential theft, and deploying additional malicious payloads. 

The malware is updated annually, aligning with its renewed use by threat actors. Cofense's analysis from January 2023 to April 2024 reveals that 60% of STR RAT samples are delivered directly via email rather than embedded links.

History of STR RAT

STR RAT resembles a seasonal flu, with yearly updates making it more prominent for short periods. Initially discovered on an antivirus forum in 2020, version 1.2 already featured keylogging, password theft, and backdoor access, along with a fake “.crimson” ransomware module that only renamed files. In 2021, Microsoft Threat Intelligence highlighted STR RAT in phishing campaigns. By 2022, it spoofed the Maersk shipping brand and employed a polyglot file technique, allowing execution as an MSI or Java file. In 2023, version 1.6 used Zelix KlassMaster and Allatori for code obfuscation. In 2024, STR RAT was uploaded to legitimate services like GitHub and AWS, making it harder to detect.

STR RAT steals passwords from Chrome, Firefox, Internet Explorer, and email clients like Outlook, Thunderbird, and Foxmail. Key commands include o-keylogger for logging keystrokes, down-n-exec for file execution, remote-screen for commandeering the computer, and power-shell for PowerShell access.

Current Usage and Impact

Though not as prevalent as other RATs like Remcos, STR RAT showed sustained activity from March to August 2023, likely due to the new version and polyglot file technique. In March 2024, significant activity was noted again, attributed to the use of legitimate services like GitHub and AWS for hosting and delivering the malware. STR RAT is typically delivered via email as an archive containing a .jar file, requiring a Java Runtime Environment (JRE) to execute. These archives may also contain necessary JRE binaries or download them from Maven and GitHub repositories.

Delivery Mechanisms

STR RAT's second most common delivery mechanism is loaders, which reach out to a payload location to download and run the malware. Jar Downloaders, CVE-2017-11882 exploits in Microsoft Office, and Windows Registry File downloaders are commonly used loaders. Additionally, embedded URLs in emails or attached PDFs often lead to the malware hosted on legitimate services like AWS, GitHub, and Discord’s CDN.

Unlike loaders, droppers contain the malware to be deployed. STR RAT's most common dropper is the JavaScript Dropper (JS Dropper), a .js file that executes natively on Windows. JS Droppers are usually attached to emails and contain both the dropper and STR RAT.

Behavior and Capabilities

Upon execution, STR RAT places files, creates persistence, and installs dependencies. It uses geolocator services to geo-fingerprint infected computers and sends system information to its command-and-control (C2) server. The malware also uses legitimate Java libraries for keylogging and database connectivity.

Detection and Hunting

Different versions of STR RAT leave various indicators of compromise (IOCs). After execution, STR RAT copies itself to multiple locations, creates a \lib\ folder with legitimate files, and generates a XXXXlock.file in the user's local home profile. The configuration can be observed through memory analysis, revealing the C2 server, port, and domain.

Persistence

STR RAT can create persistence through Registry Run Keys, Startup Folder entries, or Scheduled Tasks, ensuring the malware runs every time the user logs in. Endpoint detection and response software can monitor specific locations for signs of STR RAT persistence.

Network Traffic

STR RAT communicates with C2 servers using subdomains of free dynamic DNS services and legitimate services like GitHub and Maven. HTTP is used for C2 communications, though the port is not the standard tcp/80.

Legitimate Services

STR RAT reaches out to legitimate services for hosting tools and malware. Indicators of suspicious activity include access to GitHub and Maven repositories in conjunction with other malicious behaviors.

By understanding STR RAT's history, capabilities, and delivery mechanisms, cybersecurity professionals can better detect and defend against this persistent threat.
Read more »
Phishing Campaigns
Check Point research Cyber Attacks Foxit PDF Reader malware malicious PDF files malware malware delivery PDF Phishing Campaigns

How Attackers Distribute Malware to Foxit PDF Reader Users

 

Threat actors are exploiting a vulnerability in Foxit PDF Reader’s alert system to deliver malware through booby-trapped PDF documents, according to researchers at Check Point.

The researchers have identified several campaigns targeting Foxit Reader users with malicious PDF files. Attackers are utilizing various .NET and Python exploit builders, notably the “PDF Exploit Builder,” to create PDF documents containing macros that execute commands or scripts. These commands download and run malware such as Agent Tesla, Remcos RAT, Xworm, and NanoCore RAT.

"Regardless of the programming language, all builders exhibit a consistent structure. The PDF template used for the exploit includes placeholder text, which is meant to be replaced with the URL for downloading the malicious file once the user provides input," explained the researchers.

Additionally, threat actors are exploiting the fact that some of the pop-up alerts in Foxit Reader make the harmful option the default choice when opening these compromised files.

The first pop-up alert warns users that certain features are disabled to avoid potential security risks, giving them the option to trust the document one time only or always. The default and safer option is the former. However, once the user clicks OK, another alert appears.

Attackers are banking on users ignoring the alert text and quickly accepting the default options, thereby allowing Foxit Reader to execute the malicious command.

Foxit PDF Reader, used by over 700 million people globally, including in government and tech sectors, has been exploited by various threat actors ranging from e-crime to APT groups. These groups have been leveraging this exploit for years, often evading detection by most antivirus software and sandboxes that primarily focus on Adobe PDF Reader.

"The infection success and low detection rate have enabled PDFs to be distributed through unconventional means, such as Facebook, without being intercepted by detection rules," the researchers noted.

Check Point has reported the exploit to Foxit, and the company has announced plans to address it in version 2024 3.

"The proper approach would be to detect and disable such CMD executions. However, based on Foxit's response, they might simply change the default options to 'Do Not Open'," said Antonis Terefos, a reverse engineer at Check Point Research, to Help Net Security.

Efforts to reach Foxit for further comments have yet to receive a response.
Read more »
Phishing Campaigns
Azure Phishing Attacks Phishing Campaigns

Phishing and Cloud Account Takeover Campaign Targeting Microsoft Azure Users

 


In a security breach, several Azure accounts were compromised, which resulted in the loss of important data from the users. A cyberattack was launched against senior executives in several major corporations and affected a variety of environments at the same time. 

In November 2023, Proofpoint, a cybersecurity company, discovered a harmful attack by combining cloud account takeover (ATO) with phishing techniques that would steal credentials from the victim. This attack used the same harmful campaign that was discovered by Proofpoint in November 2023. 

It is alleged that the hackers have used proxy services to get around geographical limitations and conceal their actual location, which would allow them to access both Office Home and Microsoft 365 applications at the same time. It is thought that the attackers used links in the papers that led to phishing websites to execute the attack. 

The anchor text for some of these links was “View document,” which made no sense to me as it did not imply anything about their real location. There was a well-planned attack that targeted both mid-level employees and senior employees, though a greater number of the former employees' accounts were hacked as a result. 

According to Proofpoint, CEOs, presidents, account managers, finance directors, vice presidents of operations, and sales directors were the most common targets. In this way, the attackers were able to gain access to information from all levels and domains of the organization. 

A cybercriminal will often use their own MFA (multifactor authentication) in these types of attacks to extend access to an account that has been compromised by the attackers. To prevent the user from regaining access, attackers add a second mobile number or set up an authentication app. To conceal their traces, attackers also destroy any evidence that suggests questionable behaviour. 

The most targeted positions were mid to senior-level, including sales directors, account managers, financial directors, operations vice presidents, and CEOs, among others. The attackers were able to gain access to a wide variety of organizational information as a result of this. 

As a result, the attackers have also instituted methods to maintain access, such as setting up a multi-factor authentication system and erasing all evidence of their intrusion. Data theft and financial fraud appear to be the primary goals of these attacks. 

It is not yet confirmed who the perpetrators are, although the evidence suggests that they will be located in Russia or Nigeria, and will use ISPs that are located in these countries.
Read more »
SEKOIA
BEC Cyber Security cyber threat Finance Sector Phishing Campaigns SEKOIA

Sekoia Reports: Latest in the Financial Sector Cyber Threat Landscape


France-based cybersecurity company Sekoia published a new report regarding the evolution in the financial sector threat landscape. 

Among the many cybersecurity issues, phishing attacks like QR code phishing were the ones that have seen a massive surge in the sector.

Also, the report noted that the finance sector is subject to attacks on the software supply chain. 

Phishing as a Service Massively Hits the Sector

Sekoia claims that in 2023, the phishing-as-a-service paradigm reached widespread use. Cybercriminals are selling phishing kits that comprise phishing pages that mimic various financial institutions, as well as kits designed to take over Microsoft and obtain login credentials for Microsoft 365, which businesses utilize to authenticate to multiple services.

One instance of such a threat is NakedPages PhaaS, that offers phishing pages for varied targets, among which are the financial institutions. With over 3,500 individuals, the threat actor maintains licenses and frequently posts updates on its Telegram channel.

In regards to the aforementioned number, Sekoia based strategic threat intelligence analyst, Livia Tibirna says “generally speaking, cybercrime actors tend to increase their audience, and so their visibility, by inviting users to join their public resources. Therefore, the users are potential (future) customers of the threat actors’ services. Yet, other type of users joining threat actors’ Telegram resources are cybersecurity experts monitoring the related threats.”

QR Code Phishing Campaigns are on the Rise/ Sekoia reports an upsurge in the quantity of QR code phishing, or quishing, activities. Attacks known as "quishing" include using QR codes to trick people into divulging personal information—like login passwords or bank account details.

The cybersecurity firm notes that QR code phishing will eventually increase due to its “effectiveness in evading detection and circumventing email protection solutions.”

According to Sekoia, the most popular kit in Q3 of 2023 is the Dadsec OTT phishing as a service platform, which includes quishing features. It has been noted in a number of extensive attack campaigns, specifically posing as financial institutions.

Multiple Supply Chain Risks

Attacks against the supply chain of open-source software increased by 200% between 2022 and 2023. Since open-source components are used in digital products or services by 94% of firms in the financial sector, the industry is susceptible to attacks that take advantage of supply chain compromises involving open-source software.

One of the examples is the Log4Shell vulnerability and its exploitation, that has targeted thousands of companies globally for financial benefits and espionage. 

There have also been reports of supply chain attacks that particularly target the banking industry, demonstrating the potential of certain threat actors to create complex attacks against the industry.

"It is highly likely that advanced threat actors will persist in explicitly targeting the software supply chain in the banking sector," according to Sekoia.

Financially Oriented Malware 

Sekoia also mentioned some of the financially oriented malware that are predominantly designed to steal financial data, like credit card information, banking credentials, crypto wallets and other critical data, like: 

Mobile Banking Trojans: Sekoia has expressed special concern about the growing number of Trojans associated with mobile banking, which more than doubled in 2022 compared to the previous year and is still growing in 2023. According to Sekoia, this is probably because more mobile devices are being used for financial services, and that malware makes it easier to get around two-factor authentication.

Spyware: According to Sekoia, the usage of spyware, which are malicious programs made to gather passwords, sensitive data, and keystrokes, has increased in bank fraud in 2023. One kind of Android malware is called SpyNote, and it has added targeting of banking applications to its list of features.

Ransomware: The finance industry is a prime target for ransomware; in the third quarter of 2023, it was the sector most affected. Ransom demands ranged from $180,000 to $40 million, and in many instances, they had severe physical repercussions.

According to Sekoia, well-known ransomware actors that use extortion to affect the financial industry, like BianLian, have changed to an exfiltration-based extortion strategy that does not encrypt the victims' systems or data. This action is probably taken to prevent widespread encryption issues during large-scale hacking operations.

Reduce Cyber Threat Risks

The financial sector is vulnerable to several security risks. Although BEC and phishing have been around for a while, they have become more sophisticated over time to continue to impact the industry and stay up with emerging technologies. Every employee of financial institutions needs to be trained to recognize potential fraud or phishing efforts. Additionally, they want to have a simple method for informing their IT staff of any unusual activities.

However, more indirect attacks have recently entered the chart, since threat actors have been targeting organizations through supply chain attacks. Specifically, before being implemented, open-source software utilized in goods or services needs to be thoroughly examined.  

Read more »
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
Phishing Campaigns
Cyber Attacks Email Phishing InterPlanetary File Syste IPFS Kaspersky Phishing Attacks Phishing Campaigns

How Threat Actors are Using IPFS for Email Phishing


InterPlanetary File System (IPFS) is a peer-to-peer distributed file system, that allows users around the world to exchange files. Instead of using file paths for addressing like centralized systems do, IPFS uses unique content identifiers (CID). The file itself stays on the user’s computer which had “uploaded” it to IPFS and downloaded directly from the computer. By default, a special software is needed to upload or download a file to IPFS (IPFS client). The so-called gateways are offered so users can browse the files stored in IPFS freely without installing any software. 

In 2022, threat actors conducted malicious activity by using IPFS for email phishing campaigns. They upload HTML files containing phishing forms to IPFS and use gateways as proxies so that users can access the files whether or not an IPFS client is installed on their devices. In addition, the scammers included file access links through a gateway into phishing messages forwarded to targeted victims. 

A distributed file system is used by attackers to reduce the cost of hosting phishing pages. Moreover, IPFS makes it impossible to erase files that have been uploaded by third parties. One can request that a file's owner delete it if they want it to totally disappear from the system, but cybercriminals will almost certainly never comply. 

IPFS gateway providers manage to tackle IPFS phishing attacks by consistently deleting links to fraudulent or suspicious files. 

Still, the detection or deletion of links at the gateway level do not always happen as quickly as blocking phishing emails, cloud files, or document. The URL addresses initially came to light in October 2022. As of right now, the campaign is still ongoing. 

The objective of phishing letters with IPFS links is often to gain the victim's account username and password, the reason why they barely contain very creative content. What is interesting about this tactic is where the HTML page links go. 

The recipient's email address is contained in the URL parameter. The email address given in the login box and the corporate logo at the top of the phishing form will both change, once modified. This way, one link can be utilized in a number of phishing campaigns targeting a variety of users. 

In late 2022, Kaspersky discovered two – 15,000 IPFS phishing letters a day for most of the time. This year, IPFS campaigns have begun to escalate, reaching more than 24,000 letters a day in January and February. February became the busiest month in terms of IPFS phishing activities, where researchers discovered a whooping 400,000 letters, a 100,000 increase from November and December 2022. 

In regards to this, Roman Dedenok, a security expert at Kaspersky commented “Attackers have and will continue to use cutting-edge technologies to reap profits. As of late, we have observes an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at the IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.”  

Read more »
Subscribe to: Comments (Atom)