Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label phishing. Show all posts
Vishing
Cloud systems Credentials Stolen Cyber Attacks Extortion Fake Login phishing saaS Vishing

Hackers Target Cloud Apps Using Phone Scams and Login Tricks



Cybersecurity researchers have identified two threat groups that are executing fast-moving attacks almost entirely within software-as-a-service environments, allowing them to operate with very little visible trace of intrusion.

The groups, tracked as Cordial Spider and Snarky Spider, are also known by multiple alternate identifiers across different security vendors. Investigations show that both groups are involved in high-speed data theft followed by extortion attempts, and their methods show a strong overlap in how operations are carried out. Analysts assess that these groups have been active since at least October 2025. One of them is believed to be composed of native English speakers and is linked to a cybercrime network widely referred to as “The Com.”

According to findings from CrowdStrike, these attackers primarily rely on voice phishing, also known as vishing, to initiate their intrusions. In these cases, individuals are contacted and guided toward fraudulent login pages that are designed to imitate single sign-on systems. These pages act as adversary-in-the-middle setups, meaning they intercept and capture authentication data, including login credentials and session details, as the victim enters them. Once this information is obtained, attackers immediately use it to access SaaS applications that are connected through single sign-on integrations.

Researchers explain that the attackers deliberately operate within trusted SaaS platforms to avoid raising suspicion. Because their activity takes place inside legitimate services already used by organizations, their presence generates fewer detectable signals. This allows them to move quickly from initial compromise to data access. The combination of speed, targeted execution, and reliance on SaaS-only environments makes it harder for defenders to monitor and respond effectively.

Earlier research published in January 2026 by Mandiant revealed that these attack patterns represent a continuation of tactics seen in extortion-focused campaigns linked to the ShinyHunters group. These operations involve impersonating IT staff during phone calls to build trust with victims, then directing them to phishing pages in order to collect both login credentials and multi-factor authentication codes.

More recent analysis from Palo Alto Networks Unit 42 and the Retail & Hospitality ISAC indicates, with moderate confidence, that one of the identified clusters is associated with The Com network. These attacks rely heavily on living-off-the-land techniques, where attackers use legitimate system tools instead of introducing malware. They also make use of residential proxy networks to mask their real geographic location and to evade basic IP-based security filtering systems.

Since February 2026, activity linked to one of these clusters has been directed toward organizations in the retail and hospitality sectors. The attackers combine vishing calls, often impersonating IT help desk personnel, with phishing websites designed to capture employee credentials.

Once access is established, the attackers take steps to maintain long-term control. They register a new device within the compromised account to ensure continued access, and in many cases remove previously registered devices. After doing so, they modify email settings by creating inbox rules that automatically delete notifications related to new device logins or suspicious activity, preventing the legitimate user from being alerted.

Following initial access, the attackers shift their focus toward accounts with higher privileges. They collect internal information, such as employee directories, to identify individuals with elevated access and then use further social engineering techniques to compromise those accounts as well. With increased privileges, they move across SaaS platforms including Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, searching for sensitive documents and business-critical data. Any valuable information is then exfiltrated to infrastructure controlled by the attackers.

Researchers note that in many observed cases, the stolen credentials provide access to the organization’s identity provider, which acts as a central authentication system. This creates a single entry point into multiple SaaS applications. By exploiting the trust relationships between the identity provider and connected services, attackers are able to move across the organization’s cloud ecosystem without needing to compromise each application separately. This allows them to access multiple systems using a single authenticated session.


Read more »
phishing
Black Basta Ransomware Custom Malware Email Helpdesk Social Engineering Microsoft Teams phishing

UNC6692 Uses Microsoft Teams Impersonation to Deploy SNOW Malware

 



A newly tracked threat cluster identified as UNC6692 has been observed carrying out targeted intrusions by abusing Microsoft Teams, relying heavily on social engineering to deliver a sophisticated and multi-stage malware framework.

According to findings from Mandiant, the attackers impersonate internal IT help desk personnel and persuade employees to accept chat requests originating from accounts outside their organization. This method allows them to bypass traditional email-based phishing defenses by exploiting trust in workplace collaboration tools.

The attack typically begins with a deliberate email bombing campaign, where the victim’s inbox is flooded with large volumes of spam messages. This is designed to create confusion and urgency. Shortly after, the attacker initiates contact through Microsoft Teams, posing as technical support and offering assistance to resolve the email issue.

This combined tactic of inbox flooding followed by help desk impersonation is not entirely new. It has previously been linked to affiliates of the Black Basta ransomware group. Although that group ceased operations, the continued use of this playbook demonstrates how effective intrusion techniques often persist beyond the lifespan of the original actors.

Separate research published by ReliaQuest shows that these campaigns are increasingly focused on senior personnel. Between March 1 and April 1, 2026, 77% of observed incidents targeted executives and high-level employees, a notable increase from 59% earlier in the year. In some cases, attackers initiated multiple chat attempts within seconds, intensifying pressure on the victim to respond.

In many similar attacks, victims are convinced to install legitimate remote monitoring and management tools such as Quick Assist or Supremo Remote Desktop, which are then misused to gain direct system control. However, UNC6692 introduces a variation in execution.

Instead of deploying remote access software immediately, the attackers send a phishing link through Teams. The message claims that the link will install a patch to fix the email flooding problem. When clicked, the link directs the victim to download an AutoHotkey script hosted on an attacker-controlled Amazon S3 bucket. The phishing interface is presented as a tool named “Mailbox Repair and Sync Utility v2.1.5,” making it appear legitimate.

Once executed, the script performs initial reconnaissance to gather system information. It then installs a malicious browser extension called SNOWBELT on Microsoft Edge. This is achieved by launching the browser in headless mode and using command-line parameters to load the extension without user visibility.

To reduce the risk of detection, the attackers use a filtering mechanism known as a gatekeeper script. This ensures that only intended victims receive the full payload, helping evade automated security analysis environments. The script also verifies whether the victim is using Microsoft Edge. If not, the phishing page displays a persistent warning overlay, guiding the user to switch browsers.

After installation, SNOWBELT enables the download of additional malicious components, including SNOWGLAZE, SNOWBASIN, further AutoHotkey scripts, and a compressed archive containing a portable Python runtime with required libraries.

The phishing page also includes a fake configuration panel with a “Health Check” option. When users interact with it, they are prompted to enter their mailbox credentials under the assumption of authentication. In reality, this information is captured and transmitted to another attacker-controlled S3 storage location.

The SNOW malware framework operates as a coordinated system. SNOWBELT functions as a JavaScript-based backdoor that receives instructions from the attacker and forwards them for execution. SNOWGLAZE acts as a tunneling component written in Python, establishing a secure WebSocket connection between the compromised machine and the attacker’s command-and-control infrastructure. SNOWBASIN provides persistent remote access, allowing command execution through system shells, capturing screenshots, transferring files, and even removing itself when needed. It operates by running a local HTTP server on ports 8000, 8001, or 8002.

Once inside the network, the attackers expand their control through a series of post-exploitation activities. They scan for commonly used network ports such as 135, 445, and 3389 to identify opportunities for lateral movement. Using the SNOWGLAZE tunnel, they establish remote sessions through tools like PsExec and Remote Desktop.

Privilege escalation is achieved by extracting sensitive credential data from the system’s LSASS process, a critical Windows component responsible for storing authentication information. Attackers then use the Pass-the-Hash technique, which allows them to authenticate across systems using stolen password hashes without needing the actual passwords.

To extract valuable data, they deploy tools such as FTK Imager to capture sensitive files, including Active Directory databases. These files are staged locally before being exfiltrated using file transfer utilities like LimeWire.

Mandiant researchers note that this campaign reflects an evolution in attack strategy by combining social engineering, custom malware, and browser-based persistence mechanisms. A key element is the abuse of trusted cloud platforms for hosting malicious payloads and managing command-and-control operations. Because these services are widely used and trusted, malicious traffic can blend in with legitimate activity, making detection more difficult.

A related campaign reported by Cato Networks underlines similar tactics, where attackers use voice-based phishing within Teams to guide victims into executing a PowerShell script that deploys a WebSocket-based backdoor known as PhantomBackdoor.

Security experts emphasize that collaboration platforms must now be treated as primary attack surfaces. Controls such as verifying help desk communications, restricting external access, limiting screen sharing, and securing PowerShell execution are becoming essential defenses.

Microsoft has also warned that attackers are exploiting cross-organization communication within Teams to establish remote access using legitimate support tools. After initial compromise, they conduct reconnaissance, deploy additional payloads, and establish encrypted connections to their infrastructure.

To maintain persistence, attackers may deploy fallback remote management tools such as Level RMM. Data exfiltration is often carried out using synchronization tools like Rclone. They may also use built-in administrative protocols such as Windows Remote Management to move laterally toward high-value systems, including domain controllers.

These intrusion chains rely heavily on legitimate software and standard administrative processes, allowing attackers to remain hidden within normal enterprise activity across multiple stages of the attack lifecycle.

Read more »
phishing
Banks Brazil Data JanelaRAT malware Mexico phishing

JanelaRAT Malware Attacks Banks in Brazil and Mexico, Steals Data


Banks in Latin American countries such as Mexico and Brazil have been victims of continuous malware attacks by a strain called JanelaRAT. 

An upgraded variant of BX RAT, JanelaRAT, can steal cryptocurrency and financial data from financial organizations, trace mouse inputs, log keystrokes, collect system information, and take screenshots.  

In a recent report, Kaspersky said, “One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions.” The hackers behind the JanelaRAT attacks constantly modify the malware versions by adding new features. 

Security

Telemetry data collected by a Russian cybersecurity firm suggests that around 11,695 attacks happened in Mexico and 14,739 in Brazil in 2025. We do not know how many of these led to a successful exploit. 

In June 2023, Zscaler first discovered JanelaRAT in the wild, leveraging ZIP archives containing a VBScript to download another ZIP file, which came with a genuine executable and a DLL payload. The hacker then deploys the DLL side-loading tactic to launch the malware. 

Distribution tactic

An analysis by KPMG in 2025 revealed that the malware is circulated via rogue MSI installer files impersonating as a legit software hosted on trusted sites like GitLab. 

"Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG said. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components."

The scripts are also made to recognize installed Chromium-based browsers and secretly configure their launch parameters to install the extension. The browser add-on collects system data, cookies, browsing history, tab metadata, and installed extensions. It also triggers actions depending upon URL pattern matches. 

Phishing campaign

The recent malware campaign found by Kaspersky reveals that phishing emails disguised as due invoices are used to lure recipients into downloading a PDF file by opening a link, causing the download of a ZIP archive that starts the attack chain, including DLL side-loading to deploy JanelaRAT.

Since May 2024, JanelaRAT malware has moved from VBScripts to MSI installers, which work as a dropper for the trojan via DLL side-loading and build persistence in the victim system by making a Windows Shortcut (LNK) in the Startup folder that leads to the executable. 

Victim tracking

According to Kaspersky, “The malware determines if the victim's machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input.” 

If the inactivity is over ten minutes, “the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user's presence and routine to time possible remote operations," Kaspersky said.

Read more »
South Korea
Cloud Cyber Attacks Data GitHub phishing South Korea

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea


GitHub attacked by state-sponsored hackers 

Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea. 

The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails.

Payload execution 

Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background. 

The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers. 

Successful exploit scenario 

If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security. 

This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported. 

The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.”

After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host. 

Campaign history 

According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak. 

Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin. 


Read more »
User Privacy
Cyber Fraud Microsoft 365 phishing Sophisticated Attack User Privacy

Microsoft 365 Phishing Bypasses MFA via OAuth Device Codes

 

A recent wave of phishing attacks is bypassing traditional security protections on Microsoft 365, even when multi‑factor authentication (MFA) is enabled. Instead of stealing passwords directly, attackers are abusing legitimate Microsoft login flows to trick users into granting access to their own accounts, effectively sidestepping the security codes that many organizations rely on for protection. These campaigns have already compromised hundreds of organizations, highlighting how modern phishing has evolved beyond simple fake login pages into sophisticated, session‑based attacks. 

The core technique leverages Microsoft’s OAuth 2.0 device authorization flow, a feature designed for devices like printers and TVs that cannot display a full browser. Users receive a phishing email or SMS that looks like a legitimate Microsoft prompt, often claiming that a “secure authorization code” must be entered on a Microsoft login page. When the victim goes to the real Microsoft domain and inputs the code, they quietly grant an attacker‑controlled application long‑lived OAuth tokens that provide full access to their Microsoft 365 mailbox, OneDrive, and Teams. 

Because the login happens on an actual Microsoft site, common phishing filters and user instincts often fail to detect anything unusual. The attacker never needs to capture a password or intercept an SMS code; they simply harvest the access and refresh tokens issued by Microsoft after the user completes MFA. This means that even changing passwords or waiting for a code to expire does not immediately cut off the attacker, since the stolen tokens can persist for extended periods unless explicitly revoked. 

From there, threat actors typically move laterally inside the environment, reading sensitive emails, staging more phishing messages to contacts and colleagues, and sometimes preparing for business email compromise or invoice fraud. In some cases, compromised accounts are used to send follow‑up phishing emails that appear to come from within the organization, making them harder to flag and more likely to succeed. This “inside‑out” style of attack undermines trust in internal communications and can significantly slow down detection and response. 

To counter these threats, organizations must go beyond standard MFA and focus on identity‑centric protections, including conditional access policies, risky‑sign‑in monitoring, and regular review of granted OAuth applications. Users should be trained to treat any unexpected authorization or device‑code request as suspicious, especially if they did not initiate a login, and to report such messages immediately. Combining strong technical controls with continuous security awareness remains the most effective way to reduce the risk of these advanced phishing campaigns on Microsoft 365.
Read more »
phishing
AI Cloud Data malware phishing

China-based TA416 Targets European Businesses via Phishing Campaigns

Chinese state-sponsored attacks

A China-based hacker is targeting European government and diplomatic entities; the attack started in mid-2025, after a two-year period of no targeting in the region. The campaign has been linked to TA416; the activities coincide with DarkPeony, Red Lich, RedDelta, SmugX, Vertigo Panda, and UNC6384.

According to Proofpoint, “This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries. Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload."

Multiple attack campaigns

Additionally, TA416 organized multiple campaigns against the government and diplomatic organizations in the Middle East after the US-Iran conflict in February 2026. The attack aimed to gather regional intelligence regarding the conflict.

TA416 also has a history of technical overlaps with a different group, Mustang Panda (UNK_SteadySplit, CerenaKeeper, and Red Ishtar). The two gangs are listed as Hive0154, Twill Typhoon, Earth Preta, Temp.HEX, Stately Taurus, and HoneyMyte. 

TA416’s attacks use PlugX variants. The Mustang Panda group continually installed tools like COOLCLIENT, TONESHELL, and PUBLOAD. One common thing is using DLL side-loading to install malware.

Attack tactic

TA416’s latest campaigns against European entities are pushing a mix of web bug and malware deployment operations, while threat actors use freemail sender accounts to do spying and install the PlugX backdoor through harmful archives via Google Drive, Microsoft Azure Blob Storage, and exploited SharePoint incidents. The PlugX malware campaigns were recently found by Arctic Wolf and StrikeReady in October 2025. 

According to Proofpoint, “A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target.”

The TA416 attacks in December last year leveraged third-party Microsoft Entra ID cloud apps to start redirecting to the download of harmful archives. Phishing emails in this campaign link to Microsoft’s authentic OAuth authorization. Once opened, resends the user to the hacker-controlled domain and installs PlugX.

According to experts, "When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it."

Read more »
phishing
AppleChris APT Data malware MemFun phishing

Chinese Threat Actors Attack Southeast Asian Military Targets via Malware


A China-based cyber espionage campaign is targeting Southeast Asian military targets. The state-sponsored campaign started in 2020. 

Palo Alto Networks Unit 42 has been tracking the campaign under the name CL-STA-1087. Here, CL means cluster, and STA means state-backed motivation. 

According to security experts Yoav Zemah and Lior Rochberger, “The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.”

About the campaign

The campaign shows traces commonly linked with APT campaigns, such as defense escape tactics, tailored delivery methods, custom payload deployment, and stable operational infrastructure to aid sustained access to hacked systems.

MemFun and AppleChris

Threat actors used tools such as backdoors called MemFun and AppleChris, and a credential harvester called Getpass. Experts found the hacking tools after finding malicious PowerShell execution that allowed the script to go into a sleep state and then make reverse shells to a hacker-controlled C2 server. Experts don't know about the exact initial access vector. 

About the attack sequence

The compromise sequence deploys AppleChris’ different versions across victim endpoints and moves laterally to avoid detection. Hackers were also found doing searches for joint military activities, detailed assessments of operational capabilities, and official meeting records. The experts said that the “attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems.”

MemFun and AppleChris are designed to access a shared Pastebin account that serves as a dead-drop resolver to retrieve the real C2 address in Base64-encoded format. An AppleChris version also depends on Dropbox to fetch the C2 details via the Pastebin approach, kept as a backup option. Installed via DLL hijacking, AppleChris contacts the C2 server to receive commands to perform drive enumeration and related tasks. 

According to Unit 42, “To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime. These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes.”

Read more »
Windows
Google Meet Malicious Link mdm platforms phishing Windows

Fake Google Meet Update Can Give Attackers Control of Your Windows PC

 



Cybersecurity analysts have identified a phishing campaign that can quietly hand control of a Windows computer to attackers after a single click. The scam appears as a routine update notice for Google Meet, but the prompt is fraudulent and redirects victims into a device management system controlled by threat actors.

Unlike many phishing schemes, the technique does not steal passwords, download obvious malware, or display clear warning signs. Instead, the attack relies on convincing users to interact with a page that imitates a standard software update message.


A convincing but fake update message

The deceptive webpage tells visitors they must install the latest version of Meet in order to continue using the service. The design closely resembles a legitimate update notification and uses familiar colors and branding that many users associate with Google products.

However, both the “Update now” button and the “Learn more” link do not connect to any official Google resource. Instead, they activate a special Windows deep link known as ms-device-enrollment:.

This feature is a built-in Windows mechanism designed for corporate environments. IT administrators commonly use it to send employees a link that allows a computer to be enrolled in a company’s device management system with minimal effort. In the attack campaign, the same capability is redirected to infrastructure operated by the attacker.


How the enrollment process begins

Windows enrollment links such as ms-device-enrollment: are commonly used in corporate environments where organizations need to configure large numbers of laptops quickly. The link automatically opens Windows settings and connects the device to an enterprise management server.

Once enrolled, the device becomes part of a management framework that allows administrators to deploy software updates, enforce security policies, and manage system configurations remotely.

Attackers exploit this workflow because users are accustomed to seeing this setup process when joining corporate networks, making it appear legitimate.

When a victim clicks the link, Windows immediately bypasses the browser and opens the operating system’s “Set up a work or school account” dialog. This is the same interface that appears when an organization configures a new employee laptop.

The enrollment request arrives with several fields already filled in. The username displayed is collinsmckleen@sunlife-finance.com, a domain designed to resemble the financial services firm Sun Life Financial. Meanwhile, the server connection is preconfigured to an endpoint hosted at tnrmuv-api.esper[.]cloud, which is part of infrastructure operated by Esper.

The attacker’s objective is not to impersonate the victim’s account perfectly. Instead, the goal is to persuade the user to continue through the legitimate Windows enrollment process. Even if only a small portion of targeted users proceed, that is enough for attackers to gain access to some systems.


What attackers gain after enrollment

If the victim clicks Next and completes the setup wizard, the computer becomes registered with a remote Mobile Device Management (MDM) server.

MDM platforms are commonly used by organizations to manage employee devices. Once a device joins such a system, administrators can remotely install or remove applications, modify operating system settings, access stored files, lock the device, or completely erase its contents.

Because the commands come from a legitimate management platform rather than a malicious program, the operating system performs the actions itself. As a result, there may be no suspicious malware process running on the machine.

The infrastructure used in this campaign relies on Esper, a legitimate enterprise management service that many companies use to control corporate hardware.

Further analysis of the malicious link shows encoded configuration data embedded in the server address. When decoded, the data reveals two identifiers associated with the Esper platform: a blueprint ID that determines which management configuration will be applied and a group ID that specifies the device group the computer will join once enrolled.


Abuse of legitimate features

Both the Windows enrollment handler and the Esper management service are functioning exactly as designed. The attacker’s tactic simply redirects these legitimate tools toward unsuspecting users.

Because no malicious software is delivered and no login credentials are requested, the attack can be difficult for security tools to detect. The enrollment prompt displayed to the user is an authentic Windows system dialog rather than a fake webpage. This means typical browser warnings or email filters that look for credential-stealing forms may not flag the activity.

Additionally, the command infrastructure operates on a trusted cloud-based platform, making domain reputation filtering less effective. Security specialists warn that many traditional detection tools are not designed to recognize situations where legitimate operating system features are misused to gain control of a system.

This technique reflects a broader trend in cybercrime. Increasingly, attackers are abandoning conventional malware and instead exploiting built-in operating system capabilities or legitimate cloud services to carry out their operations.


Steps to take if you interacted with the page

Users who believe they may have clicked the fake update prompt should first check whether their device has been enrolled in an unfamiliar management system.

On Windows computers, this can be done by navigating to Settings → Accounts → Access work or school. If an unfamiliar entry appears, particularly one associated with domains such as sunlife-finance or esper, it should be selected and disconnected immediately.

Anyone who clicked the “Update now” link on the malicious site and proceeded through the enrollment wizard should treat the computer as potentially compromised. Running a current anti-malware scan is recommended to determine whether the management server deployed additional software after enrollment.

For organizations, administrators may also want to review device management policies. Endpoint management platforms such as Microsoft Intune allow companies to restrict which MDM servers corporate devices are permitted to join. Implementing such restrictions can reduce the risk of unauthorized device enrollment in similar attacks.

Security researchers have warned that misuse of device management systems can be particularly dangerous because they grant deep administrative control over enrolled devices.

According to analysts from Gartner, enterprise device management platforms often have privileged system access comparable to local administrators, allowing them to modify system policies, install applications, and control security settings remotely.

When such privileges fall into the wrong hands, attackers can effectively operate the device as if they were legitimate administrators.

Read more »
Technlogy
AI Cloud Data GenAI Microsoft phishing Technlogy

Microsoft Report Reveals Hackers Exploit AI In Cyberattacks


According to Microsoft, hackers are increasingly using AI in their work to increase attacks, scale cyberattack activity, and limit technical barriers throughout all aspects of a cyberattack. 

Microsoft’s new Threat Intelligence report reveals that threat actors are using genAI tools for various tasks, such as phishing, surveillance, malware building, infrastructure development, and post-hack activity. 

About the report

In various incidents, AI helps to create phishing emails, summarize stolen information, debug malware, translate content, and configure infrastructure. “Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure,” the report said. 

"For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions,’ warns Microsoft.

AI in cyberattacks 

Microsoft found different hacking gangs using AI in their cyberattacks, such as North Korean hackers known as Coral Sleet (Storm-1877) and Jasper Sleet (Storm-0287), who use the AI in their remote IT worker scams. 

The AI helps to make realistic identities, communications, and resumes to get a job in Western companies and have access once hired. Microsoft also explained how AI is being exploited in malware development and infrastructure creation. Threat actors are using AI coding tools to create and refine malicious code, fix errors, and send malware components to different programming languages. 

The impact

A few malware experiments showed traces of AI-enabled malware that create scripts or configure behaviour at runtime. Microsoft found Coral Sleet using AI to make fake company sites, manage infrastructure, and troubleshoot their installations. 

When security analysts try to stop the use of AI in these attacks, Microsoft says hackers are using jailbreaking techniques to trick AI into creating malicious code or content. 

Besides generative AI use, the report revealed that hackers experiment with agentic AI to do tasks autonomously. The AI is mainly used for decision-making currently. As IT worker campaigns depend on the exploitation of authentic access, experts have advised organizations to address these attacks as insider risks. 

Read more »
Vishing
Advanced Social Engineering Cyber Crime IT Help Desk phishing Scattered Spider SIM swap Vishing

SLH Pays Up to $1,000 Per Call to Expand IT Help Desk Vishing Operations

 



A cybercrime network known as Scattered LAPSUS$ Hunters, or SLH, is offering financial rewards ranging from $500 to $1,000 per call to recruit women for voice phishing operations targeting corporate IT help desks.

The development was detailed in a threat intelligence brief published by Dataminr. According to the firm, recruits are provided with prepared scripts and paid upfront for participating in impersonation calls designed to trick help desk staff into granting account access. Analysts assess that specifically seeking female callers may be an intentional tactic to improve credibility and increase the likelihood of successful password or multi-factor authentication resets.

SLH is described as a high-profile cybercrime alliance associated with actors tied to LAPSUS$, Scattered Spider, and ShinyHunters. The group has previously demonstrated the ability to bypass multi-factor authentication using methods such as MFA prompt flooding and SIM swapping.

A core component of its intrusion strategy involves directly contacting help desks or call centers while posing as legitimate employees. Attackers attempt to persuade support staff to reset credentials or deploy remote monitoring and management software that enables persistent remote access. Once inside a network, Scattered Spider operators have been observed moving laterally into virtualized infrastructure, elevating privileges, and extracting sensitive enterprise information. In some incidents, the intrusion progressed to ransomware deployment.

To blend into legitimate traffic and evade detection, the actors routinely leverage trusted infrastructure and residential proxy services, including Luminati and OxyLabs. They have also used tunneling tools such as Ngrok, Teleport, and Pinggy, along with file-sharing platforms like file.io, gofile.io, mega.nz, and transfer.sh to transfer stolen data.

Earlier this month, Palo Alto Networks Unit 42, which tracks Scattered Spider under the alias Muddled Libra, described the actor as highly adept at manipulating human psychology. In one September 2025 investigation, attackers reportedly obtained privileged credentials through a help desk call, created a virtual machine, conducted Active Directory enumeration, and attempted to extract Microsoft Outlook mailbox data along with information downloaded from a Snowflake database.

Unit 42 also documented the group’s extensive targeting of Microsoft Azure environments through the Graph API to gain access to cloud resources. Tools such as ADRecon have been deployed to map directory structures and identify valuable assets.

Dataminr characterized the recruitment campaign as a calculated evolution in tactics, suggesting that the use of female voices may help bypass preconceived attacker profiles that help desk staff are trained to recognize.

Update: Shift Toward Branded Subdomain Impersonation and Mobile-Focused Phishing

In a follow-up assessment dated February 26, 2026, ReliaQuest reported observing ShinyHunters potentially transitioning to branded subdomain impersonation paired with live adversary-in-the-middle phishing and phone-guided social engineering. Observed domains followed formats resembling “organization.sso-verify.com.”

Researchers indicated that the group may be reusing previously exposed software-as-a-service records to craft convincing scenarios and identify the most effective internal targets. This method can enable rapid identity compromise and SaaS access through a single valid single sign-on session or help desk reset, without deploying custom malware.

ReliaQuest assessed that moving away from newly registered lookalike domains could help evade traditional domain-age detection controls. Simultaneously, mobile-oriented phishing lures may reduce visibility within enterprise network monitoring systems. The firm also noted signs of outsourced criminal labor to scale phone, email, and SMS outreach.

While the impersonation style resembles earlier Scattered Spider techniques, ReliaQuest attributed the recent subdomain activity primarily to ShinyHunters based on victim targeting patterns and operational behavior. The company stated it has no independently verifiable evidence confirming that the broader SLH collective is responsible for the subdomain campaign, though partial collaboration among groups remains possible. It also observed Telegram discussions indicating that the actors sometimes “unite” for specific social engineering operations, though the structure and scope of such collaboration remain unclear.

Security experts increasingly warn that help desks represent a critical weak point in modern enterprise defense. As organizations strengthen technical controls such as MFA and endpoint detection, attackers are redirecting efforts toward human intermediaries capable of overriding safeguards. Industry reporting throughout 2024 and 2025 has shown a consistent rise in vishing-led intrusions tied to cloud identity compromise.

Defensive recommendations include implementing stricter identity verification workflows, eliminating SMS-based authentication where possible, enforcing conditional access policies, and conducting post-call audits for new administrative accounts or privilege changes. Continuous monitoring of cloud logs and abnormal single sign-on activity is also considered essential.

The recruitment-driven expansion of scripted vishing operations signals an ongoing professionalization of social engineering. Rather than relying solely on technical exploits, threat actors are scaling psychologically informed tactics to accelerate high-volume, low-cost account compromise across enterprise environments.

Read more »
surveillance
Android Spyware Applications Cyber Security phishing Software surveillance

Is Spyware Secretly Hiding on Your Phone? How to Detect It, Remove It, and Prevent It

 



If your phone has started behaving in ways you cannot explain, such as draining power unusually fast, heating up during minimal use, crashing, or displaying unfamiliar apps, it may be more than a routine technical fault. In some cases, these irregularities signal the presence of spyware, a type of malicious software designed to quietly monitor users and extract personal information.

Spyware typically enters smartphones through deceptive mobile applications, phishing emails, malicious attachments, fraudulent text messages, manipulated social media links, or unauthorized physical access. These programs are often disguised as legitimate utilities or helpful tools. Once installed, they operate discreetly in the background, avoiding obvious detection.

Depending on the variant, spyware can log incoming and outgoing calls, capture SMS and MMS messages, monitor conversations on platforms such as Facebook and WhatsApp, and intercept Voice over IP communications. Some strains are capable of taking screenshots, activating cameras or microphones, tracking location through GPS, copying clipboard data, recording keystrokes, and harvesting login credentials or cryptocurrency wallet details. The stolen information is transmitted to external servers controlled by unknown operators.

Not all spyware functions the same way. Some applications focus on aggressive advertising tactics, overwhelming users with pop-ups, altering browser settings, and collecting browsing data for revenue generation. Broader mobile surveillance tools extract system-level data and financial credentials, often distributed through mass phishing campaigns. More intrusive software, frequently described as stalkerware, is designed to monitor specific individuals and has been widely associated with domestic abuse cases. At the highest level, intricately designed commercial surveillance platforms such as Pegasus have been deployed in targeted operations, although these tools are costly and rarely directed at the general public.

Applications marketed as parental supervision or employee productivity tools also require caution. While such software may have legitimate oversight purposes, its monitoring capabilities mirror those of spyware if misused or installed without informed consent.

Identifying spyware can be difficult because it is engineered to remain hidden. However, several warning indicators may appear. These include sudden battery drain, overheating, sluggish performance, unexplained crashes, random restarts, increased mobile data consumption, distorted calls, persistent pop-up advertisements, modified search engine settings, unfamiliar applications, difficulty shutting down the device, or unexpected subscription charges. Receiving suspicious messages that prompt downloads or permission changes may also signal targeting attempts. If a device has been out of your possession and returns with altered settings, tampering should be considered.

On Android devices, reviewing whether installation from unofficial sources has been enabled is critical, as this setting allows apps outside the Google Play Store to be installed. Users should also inspect special app access and administrative permissions for unfamiliar entries. Malicious programs often disguise themselves with neutral names such as system utilities. Although iPhones are generally more resistant without jailbreaking or exploited vulnerabilities, they are not immune. Failing to install firmware updates increases exposure to known security flaws.

If spyware is suspected, measured action is necessary. Begin by installing reputable mobile security software from verified vendors and running a comprehensive scan. Manually review installed applications and remove anything unfamiliar. Examine permission settings and revoke excessive access. On Android, restarting the device in Safe Mode temporarily disables third-party apps, which may assist in removal. Updating the operating system can also disrupt malicious processes. If the issue persists, a factory reset may be required. Important data should be securely backed up before proceeding, as this step erases all stored content. In rare instances, professional technical assistance or device replacement may be needed.

Long-term protection depends on consistent preventive practices. Maintain strict physical control over your phone and secure it with a strong password or biometric authentication. Configure automatic screen locking to reduce the risk of unauthorized access. Install operating system updates promptly, as they contain critical security patches. Download applications only from official app stores and review developer credibility, ratings, and permission requests carefully before installation. Enable built-in security scanners and avoid disabling system warnings. Regularly audit app permissions, especially for access to location, camera, microphone, contacts, and messages.

Remain cautious when interacting with links or attachments received through email, SMS, or social media, as phishing remains a primary delivery method for spyware. Avoid jailbreaking or rooting devices, since doing so weakens built-in protections and increases vulnerability. Activate multi-factor authentication on essential accounts such as email, banking, and cloud storage services, and monitor login activity for irregular access. Periodically review mobile data usage and billing statements for unexplained charges. Maintain encrypted backups so decisive action, including a factory reset, can be taken without permanent data loss.

No mobile device can be guaranteed completely immune from surveillance threats. However, informed digital habits, timely updates, disciplined permission management, and layered account security significantly reduce the likelihood of covert monitoring. In an era where smartphones store personal, financial, and professional data, vigilance remains the strongest defense.

Read more »
UNC1069
malware Mandiant North Korea Hackers phishing UNC1069

North Korean Hackers Deploy New macOS Malware in Crypto Theft Campaign

 

North Korean hackers, tracked as UNC1069 by Google's Mandiant, have deployed sophisticated new macOS malware in targeted cryptocurrency theft campaigns. These attacks leverage AI-generated deepfake videos and social engineering via Telegram to trick victims into executing malicious commands. The operation, uncovered during an investigation into a fintech company breach, highlights the evolving threat to macOS users in the crypto sector.

The malicious campaign begins with hackers compromising a legitimate Telegram account from a crypto executive to build rapport with targets. They direct victims to a spoofed Calendly link leading to a fake Zoom page hosting a deepfake CEO video call. Posing as audio troubleshooting, attackers guide users to run ClickFix-style commands from a webpage, tailored for both macOS and Windows, initiating payload deployment.

Mandiant identified seven distinct macOS malware families in the chain, starting with AppleScript and a malicious Mach-O binary. Key tools include WAVESHAPER, a C++ backdoor for system reconnaissance and C2 communication; HYPERCALL and HIDDENCALL, Golang loaders and backdoors enabling remote access; and SILENCELIFT, a minimal backdoor disrupting Telegram on rooted systems. Newer implants like DEEPBREATH, a Swift data miner bypassing TCC protections to steal keychain, browser, and Telegram data, underscore the attack's breadth.

Additional malware such as SUGARLOADER, a persistent C++ downloader, and CHROMEPUSH, a Chromium extension stealer harvesting credentials and keystrokes, maximize data exfiltration. This unusually high volume of payloads on a single host aims at crypto theft and future social engineering using stolen identities. Detection remains low, with only SUGARLOADER and WAVESHAPER showing VirusTotal flags, emphasizing stealth.

UNC1069, active since 2018, shifted from Web3 targets in 2023 to financial services and crypto infrastructure last year. Similar tactics were seen in 2025 BlueNoroff attacks, but this campaign introduces novel tools amid North Korea's growing macOS focus. Crypto firms must prioritize endpoint detection, deepfake awareness training, and TCC hardening to counter these persistent threats.
Read more »
South Korea
Bitcoin Bithumb cryptocurrency Cyber Security phishing South Korea

Bithumb Mistakenly Credits Users With Billions in Bitcoin During Promotion Error

 




A promotional campaign at South Korean cryptocurrency exchange Bithumb turned into a large scale operational incident after a data entry mistake resulted in users receiving bitcoin instead of a small cash-equivalent reward.

Initial reports suggested that certain customers were meant to receive 2,000 Korean won as part of a routine promotional payout. Instead, those accounts were credited with 2,000 bitcoin each. At current market valuations, 2,000 bitcoin represents roughly $140 million per account, transforming what should have been a minor incentive into an extraordinary allocation.

Bithumb later confirmed that the scope of the error was larger than early estimates. According to the exchange, a total of 620,000 bitcoin was mistakenly credited to 695 user accounts. Based on prevailing prices at the time of the incident, that amount corresponded to approximately $43 billion in value. The exchange stated that the issue stemmed from an internal processing mistake and was not connected to external hacking activity or a breach of its security infrastructure. It emphasized that customer asset custody systems were not compromised.

The sudden appearance of large bitcoin balances had an immediate effect on trading activity within the platform. Bithumb reported that the incident contributed to a temporary decline of about 10 percent in bitcoin’s price on its exchange, as some affected users rapidly sold the credited assets. To contain further disruption, the company restricted withdrawals and suspended certain transactions linked to the impacted accounts. It stated that 99.7 percent of the mistakenly issued bitcoin has since been recovered.

The event has revived discussion around the concept often described as “paper bitcoin.” On centralized exchanges, user balances are reflected in internal ledgers rather than always corresponding to coins held in individual blockchain wallets. In practice, exchanges may not maintain a one-to-one on-chain reserve for every displayed balance at every moment. This structural model has previously drawn criticism, most notably during the collapse of Mt. Gox in 2014, which was then the largest bitcoin exchange globally. Its failure exposed major discrepancies between reported and actual holdings.

Data from blockchain analytics firm Arkham Intelligence indicates that Bithumb currently controls digital assets worth approximately $5.3 billion. That figure is substantially lower than the $43 billion temporarily reflected in the erroneous credits, underscoring that the allocation existed within internal accounting records rather than as newly transferred blockchain assets.

Observers on social media platform X questioned how such a large discrepancy could occur without automated safeguards preventing the issuance. Bithumb has faced security challenges in the past. In 2017, an employee’s device was compromised, exposing customer data later used in phishing attempts. In 2018, around $30 million in cryptocurrency was stolen in an attack attributed to the Lazarus Group, an organization widely linked to North Korea. A further breach in 2019 resulted in losses of roughly $20 million and was initially suspected to involve insider participation. In each instance, Bithumb stated that it compensated affected users for lost funds, though earlier incidents included exposure of personal information.

Beyond cybersecurity events, the exchange has also been subject to regulatory scrutiny, including investigations related to alleged fraud, embezzlement, and promotional practices. Reports indicate it was again raided this week over concerns involving misleading advertising.

Bithumb maintains that no customer ultimately suffered a net financial loss from the recent error, though the price movement raised concerns about potential liquidations for leveraged traders. A comparable situation occurred at decentralized exchange Paradex, which reversed trades following a pricing malfunction.

The incident unfolds amid broader market strain, with digital asset prices astronomically below their October peaks and political debate intensifying around cryptocurrency-linked business interests connected to U.S. public figures. Recent disclosures from the U.S. Department of Justice concerning Jeffrey Epstein’s early involvement in cryptocurrency ventures have further fueled online speculation and conspiracy narratives across social platforms.

Read more »
snail mail
cryptocurrency Cyber Fraud forged letterheads Hardware Wallets Ledger phishing snail mail

Fraudsters Use Postal Mail to Target Crypto Hardware Wallet Owners



Cybercriminals are using traditional mail services to target cryptocurrency users who own hardware wallets manufactured by Trezor and Ledger. The attackers are distributing printed letters that falsely present themselves as official security notifications and attempt to trick recipients into revealing their wallet recovery phrases.

The letters instruct users to complete a compulsory “Authentication Check” or “Transaction Check,” claiming this step will soon become mandatory. Recipients are warned that failure to comply before stated deadlines could result in disrupted wallet functionality. One Trezor-themed letter sets February 15, 2026 as the cutoff date, while a Ledger-branded version references October 15, 2025.

The correspondence appears professionally formatted and claims to originate from internal security or compliance departments. In a case shared publicly by cybersecurity researcher Dmitry Smilyanets, a Trezor-related letter stated that authentication would soon be enforced across devices and urged users to scan a QR code to prevent interruption of Trezor Suite access. The letter further asserted that even if users had already enabled authentication on their device, they must repeat the process to ensure full activation and synchronization of the feature.

The QR codes direct recipients to fraudulent domains including trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. At the time of reporting, the Ledger-linked domain was inactive, while the Trezor-related site remained accessible but displayed a phishing warning from Cloudflare.

The Trezor-themed phishing page states that users must complete authentication by February 15, 2026 unless they purchased specific models, including Trezor Safe 7, Safe 5, Safe 3, or Safe 1, after November 30, 2025, in which case the feature is allegedly preconfigured. After selecting “Get Started,” users are warned that ignoring the process could lead to blocked access, transaction signing errors, and complications with future updates.

Those who continue are prompted to enter their wallet recovery phrase. The form accepts 12-, 20-, or 24-word phrases and claims the information is necessary to confirm device ownership. Technical analysis shows that submitted phrases are transmitted through a backend endpoint located at /black/api/send.php on the phishing domain.

With access to the recovery phrase, attackers can restore the wallet on another device and transfer funds.

The method used to identify recipients remains unclear. However, both manufacturers have experienced past data breaches that exposed customer contact information, potentially increasing targeting risks.

Although email-based crypto phishing is common, physical mail scams remain relatively uncommon. In 2021, attackers mailed tampered Ledger devices designed to capture recovery phrases during setup. A similar postal campaign targeting Ledger users was reported again in April.

A recovery phrase, also called a seed phrase, represents the private cryptographic key controlling a cryptocurrency wallet. Anyone who obtains it gains complete control over the associated funds.

Legitimate hardware wallet providers do not request recovery phrases through mail, QR codes, websites, or email. The phrase should only be entered directly on the hardware device during a genuine restoration process.



Read more »
Russian threat actors
CANFAIL cyber espionage Emails Google Threat Intelligence Group PhantomCaptcha phishing Russian threat actors

Google Links CANFAIL Malware Attacks to Suspected Russia-Aligned Group

 



A newly identified cyber espionage group has been linked to a wave of digital attacks against Ukrainian institutions, according to findings released by the Google Threat Intelligence Group. Investigators say the activity involves a malware strain tracked as CANFAIL and assess that the operator is likely connected to Russian state intelligence interests.

The campaign has primarily focused on Ukrainian government structures at both regional and national levels. Entities tied to defense, the armed forces, and the energy sector have been repeatedly targeted. Analysts state that the selection of victims reflects strategic priorities consistent with wartime intelligence gathering.

Beyond these sectors, researchers observed that the actor’s attention has widened. Aerospace companies, manufacturers producing military equipment and drone technologies, nuclear and chemical research institutions, and international organizations engaged in conflict monitoring or humanitarian assistance in Ukraine have also been included in targeting efforts. This broader focus indicates an attempt to collect information across supply chains and support networks linked to the war.

While the group does not appear to possess the same operational depth as some established Russian hacking units, Google’s analysts note a recent shift in capability. The actor has reportedly begun using large language models to assist in reconnaissance, draft persuasive phishing content, and resolve technical challenges encountered after gaining initial access. These tools have also been used to help configure command-and-control infrastructure, allowing the attackers to manage compromised systems more effectively.

Email-based deception remains central to the intrusion strategy. In several recent operations, the attackers posed as legitimate Ukrainian energy providers in order to obtain unauthorized access to both organizational and personal email accounts. In separate incidents, they impersonated a Romanian energy supplier that serves Ukrainian clients. Investigators also documented targeting of a Romanian company and reconnaissance activity involving organizations in Moldova, suggesting regional expansion of the campaign.

To improve the precision of their phishing efforts, the attackers compile tailored email distribution lists based on geographic region and industry sector. The malicious messages frequently contain links hosted on Google Drive. These links direct recipients to download compressed RAR archives that contain the CANFAIL payload.

CANFAIL itself is a heavily obfuscated JavaScript program. It is commonly disguised with a double file extension, such as “.pdf.js,” to make it appear as a harmless document. When executed, the script launches a PowerShell command that retrieves an additional PowerShell-based dropper. This secondary component runs directly in system memory, a technique designed to reduce forensic traces on disk and evade conventional security tools. At the same time, the malware displays a fabricated error notification to mislead the victim into believing the file failed to open.

Google’s researchers further link this threat activity to a campaign known as PhantomCaptcha. That operation was previously documented in October 2025 by researchers at SentinelOne through its SentinelLABS division. PhantomCaptcha targeted organizations involved in Ukraine-related relief initiatives by sending phishing emails that redirected recipients to fraudulent websites. Those sites presented deceptive instructions intended to trigger the infection process, ultimately delivering a trojan that communicates over WebSocket channels.

The investigation illustrates how state-aligned actors continue to adapt their methods, combining traditional phishing tactics with newer technologies to sustain intelligence collection efforts tied to the conflict in Ukraine.

Read more »
Windows
BYOVD Attack cloud storage Cyber Attacks Linux phishing Ransomware Reynolds Windows

New Ransomware Uses Trusted Drivers to Disable Security Defenses

 


Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data.

The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years.

In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations.

Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect.

Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems.

Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.

Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult.

Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services.

Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point.

Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect.

Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.

Read more »
subscriptions
cloud storage Cyber Security Email Google Drive phishing Scam subscriptions

Cloud Storage Scam Uses Fake Renewal Notices to Trick Users


Cybercriminals are running a large-scale email scam that falsely claims cloud storage subscriptions have failed. For several months, people across different countries have been receiving repeated messages warning that their photos, files, and entire accounts will soon be restricted or erased due to an alleged payment issue. The volume of these emails has increased sharply, with many users receiving several versions of the same scam in a single day, all tied to the same operation.

Although the wording of each email differs, the underlying tactic remains the same. The messages pressure recipients to act immediately by claiming that a billing problem or storage limit must be fixed right away to avoid losing access to personal data. These emails are sent from unrelated and randomly created domains rather than official service addresses, a common sign of phishing activity.

The subject lines are crafted to trigger panic and curiosity. Many include personal names, email addresses, reference numbers, or specific future dates to appear genuine. The messages state that a renewal attempt failed or a payment method expired, warning that backups may stop working and that photos, videos, documents, and device data could disappear if the issue is not resolved. Fake account numbers, subscription details, and expiry dates are used to strengthen the illusion of legitimacy.

Every email in this campaign contains a link. While the first web address may appear to belong to a well-known cloud hosting platform, it only acts as a temporary relay. Clicking it silently redirects the user to fraudulent websites hosted on changing domains. These pages imitate real cloud dashboards and display cloud-related branding to gain trust. They falsely claim that storage is full and that syncing of photos, contacts, files, and backups has stopped, warning that data will be lost without immediate action.

After clicking forward, users are shown a fake scan that always reports that services such as photo storage, drive space, and email are full. Victims are then offered a short-term discount, presented as a loyalty upgrade with a large price reduction. Instead of leading to a real cloud provider, the buttons redirect users to unrelated sales pages advertising VPNs, obscure security tools, and other subscription products. The final step leads to payment forms designed to collect card details and generate profit for the scammers through affiliate schemes.

Many recipients mistakenly believe these offers will fix a real storage problem and end up paying for unnecessary products. These emails and websites are not official notifications. Real cloud companies do not solve billing problems through storage scans or third-party product promotions. When payments fail, legitimate providers usually restrict extra storage first and provide a grace period before any data removal.

Users should delete such emails without opening links and avoid purchasing anything promoted through them. Any concerns about storage or billing should be checked directly through the official website or app of the cloud service provider.

Read more »
phishing
Credential Theft Data Breach Data Theft Emails IP Address Microsoft Microsoft SharePoint phishing

Attackers Hijack Microsoft Email Accounts to Launch Phishing Campaign Against Energy Firms

 


Cybercriminals have compromised Microsoft email accounts belonging to organizations in the energy sector and used those trusted inboxes to distribute large volumes of phishing emails. In at least one confirmed incident, more than 600 malicious messages were sent from a single hijacked account.

Microsoft security researchers explained that the attackers did not rely on technical exploits or system vulnerabilities. Instead, they gained access by using legitimate login credentials that were likely stolen earlier through unknown means. This allowed them to sign in as real users, making the activity harder to detect.

The attack began with emails that appeared routine and business-related. These messages included Microsoft SharePoint links and subject lines suggesting formal documents, such as proposals or confidentiality agreements. To view the files, recipients were asked to authenticate their accounts.

When users clicked the SharePoint link, they were redirected to a fraudulent website designed to look legitimate. The site prompted them to enter their Microsoft login details. By doing so, victims unknowingly handed over valid usernames and passwords to the attackers.

After collecting credentials, the attackers accessed the compromised email accounts from different IP addresses. They then created inbox rules that automatically deleted incoming emails and marked messages as read. This step helped conceal the intrusion and prevented account owners from noticing unusual activity.

Using these compromised inboxes, the attackers launched a second wave of phishing emails. These messages were sent not only to external contacts but also to colleagues and internal distribution lists. Recipients were selected based on recent email conversations found in the victim’s inbox, increasing the likelihood that the messages would appear trustworthy.

In this campaign, the attackers actively monitored inbox responses. They removed automated replies such as out-of-office messages and undeliverable notices. They also read replies from recipients and responded to questions about the legitimacy of the emails. All such exchanges were later deleted to erase evidence.

Any employee within an energy organization who interacted with the malicious links was also targeted for credential theft, allowing the attackers to expand their access further.

Microsoft confirmed that the activity began in January and described it as a short-duration, multi-stage phishing operation that was quickly disrupted. The company did not disclose how many organizations were affected, identify the attackers, or confirm whether the campaign is still active.

Security experts warn that simply resetting passwords may not be enough in these attacks. Because attackers can interfere with multi-factor authentication settings, they may maintain access even after credentials are changed. For example, attackers can register their own device to receive one-time authentication codes.

Despite these risks, multi-factor authentication remains a critical defense against account compromise. Microsoft also recommends using conditional access controls that assess login attempts based on factors such as location, device health, and user role. Suspicious sign-ins can then be blocked automatically.

Additional protection can be achieved by deploying anti-phishing solutions that scan emails and websites for malicious activity. These measures, combined with user awareness, are essential as attackers increasingly rely on stolen identities rather than software flaws.


Read more »
phishing
Cyber Attacks DHL phishing campaigns phishing

Fake DHL Pickup Slips Used in QR Code Phishing Scam

 

Criminals are using fake DHL pickup slips to carry out a new phishing scam that targets customers during periods of high online shopping activity, according to the company. 

The scam involves counterfeit versions of DHL’s familiar yellow delivery notices, which are typically left when a parcel cannot be delivered. Unlike genuine slips, the fake notices contain a QR code that prompts recipients to scan it to arrange a redelivery. 

Scanning the code redirects users to a fraudulent website designed to closely resemble DHL’s official site. Victims are then asked to enter personal information, including names, addresses and bank details, which can be used for financial fraud and identity theft. 

The tactic is part of a broader trend known as “quishing,” a form of phishing that relies on QR codes rather than email links. These scams are increasingly being spread through physical notices, emails, text messages and fake social media accounts. 

Jens-Uwe Hogardt, a spokesperson for DHL, said such fraud attempts are becoming more sophisticated and harder to detect. He noted that official DHL communications are sent only from verified email domains such as “@dhl.com” or “@dhl.de,” and that legitimate messages do not originate from generic email services. 

DHL advises customers to track parcels only through its official website or mobile app and to avoid scanning QR codes from unsolicited delivery notices. 

Users who believe they have been targeted are urged to contact local police and DHL customer service, change passwords immediately and refrain from sharing personal or financial details through unknown links. 

"If you suspect having received fraudulent emails, SMS or found a website or social media account that tries to pass off as DHL, we encourage you to let us know at your earliest convenience, so that we can quickly take actions to stop the fraud," DHL posted. 

Authorities and companies continue to warn that vigilance is especially important during peak shopping seasons, when delivery-related scams tend to increase.
Read more »
Subscribe to: Posts (Atom)