Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label phishing. Show all posts
threat
APT41 Attack Calendar Cybersecurity Detection Google Hacking malware phishing threat

APT41 Exploits Google Calendar in Stealthy Cyberattack; Google Shuts It Down

 

Chinese state-backed threat actor APT41 has been discovered leveraging Google Calendar as a command-and-control (C2) channel in a sophisticated cyber campaign, according to Google’s Threat Intelligence Group (TIG). The team has since dismantled the infrastructure and implemented defenses to block similar future exploits.

The campaign began with a previously breached government website — though TIG didn’t disclose how it was compromised — which hosted a ZIP archive. This file was distributed to targets via phishing emails.

Once downloaded, the archive revealed three components: an executable file and a dynamic-link library (DLL) disguised as image files, and a Windows shortcut (LNK) masquerading as a PDF. When users attempted to open the phony PDF, the shortcut activated the DLL, which then decrypted and launched a third file containing the actual malware, dubbed ToughProgress.

Upon execution, ToughProgress connected to Google Calendar to retrieve its instructions, embedded within event descriptions or hidden calendar events. The malware then exfiltrated stolen data by creating a zero-minute calendar event on May 30, embedding the encrypted information within the event's description field.

Google noted that the malware’s stealth — avoiding traditional file installation and using a legitimate Google service for communication — made it difficult for many security tools to detect.

To mitigate the threat, TIG crafted specific detection signatures, disabled the threat actor’s associated Workspace accounts and calendar entries, updated file recognition tools, and expanded its Safe Browsing blocklist to include malicious domains and URLs linked to the attack.

Several organizations were reportedly targeted. “In partnership with Mandiant Consulting, GTIG notified the compromised organizations,” Google stated. “We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.”

Google did not disclose the exact number of impacted entities.
Read more »
phishing
anime AttackonTitan Cyber Security DemonSlayer GenZ Hackers Kaspersky Naruto OnePiece phishing

Hackers Use Popular Anime Titles to Lure Gen Z into Malware Traps, Warns Kaspersky

 

Cybercriminals are increasingly camouflaging malware as anime content to exploit the growing global fascination with Japanese animation, according to cybersecurity firm Kaspersky. Their recent analysis of phishing incidents between Q2 2024 and Q1 2025 revealed over 250,000 attacks leveraging anime themes to deceive victims.

Anime, a stylized form of animated entertainment that originated in Japan, has become immensely popular, particularly among Gen Z — individuals born in the early 2000s. Kaspersky’s research highlights that anime is now more mainstream than ever, especially with younger audiences. Approximately 65% of Gen Z reportedly consume anime regularly, a trend that has made them prime targets for themed phishing campaigns.

“They connect to the characters,” Kaspersky noted, adding that viewers often become “emotionally invested” in the shows. This emotional connection is being weaponized by threat actors who are tricking fans into clicking on malicious links under the pretense of offering “exclusive episodes”, “leaked scenes”, or “premium access”.

Among the anime franchises most frequently used in these scams, Naruto topped the list with around 114,000 attack attempts. Demon Slayer followed with 44,000 incidents, trailed by other popular titles like Attack on Titan, One Piece, and Jujutsu Kaisen.

However, anime isn’t the only bait being used. Hackers have also disguised malicious content using names from other pop culture phenomena including Shrek, Stranger Things, Twilight, Inside Out, and Deadpool & Wolverine, with these non-anime themes accounting for an additional 43,000 phishing attempts. A notable spike in such attacks occurred in early 2025, coinciding with the release of the latest Shrek trailer.

As a precaution, Kaspersky advises users to steer clear of suspicious links or downloads, especially when the offer appears too good to be true. Instead, viewers looking for the latest episodes should use verified platforms such as Netflix, Hulu, or Disney+ to avoid falling victim to cyber scams.
Read more »
phishing
Coinbase credit freeze Crypto Wallet cryptocurrency Cybersecurity Data Breach Identity Theft phishing

Coinbase Confirms Data Breach Impacting Over 69,000 Users, Refuses $20M Extortion Demand

 

Coinbase, the leading cryptocurrency exchange in the United States, disclosed a recent cybersecurity breach affecting 69,461 users, according to a notification submitted to the Maine attorney general’s office. Although the hackers failed to access individual accounts or sensitive login details such as two-factor authentication codes, private keys, or crypto wallets, they were able to obtain a wide array of personal data.

The compromised information includes:
  • Full names
  • Residential addresses
  • Phone numbers
  • Email addresses
  • Partial Social Security numbers
  • Masked bank account details
  • Government-issued ID images (e.g., driver’s licenses, passports)
  • Account-related data such as transaction history and snapshots
In an SEC filing, Coinbase revealed that the attackers paid offshore contractors to gain access to internal systems. This information was weaponized to launch a social engineering scam. The perpetrators demanded $20 million in exchange for not leaking the stolen data—an offer Coinbase declined.

"Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident," the company said in its statement.

Coinbase is currently collaborating with law enforcement and has established a $20 million reward fund to incentivize tips that could lead to the identification and capture of the individuals responsible.

Meanwhile, reports on Reddit suggest that some users received unsolicited password reset notifications as early as last week. It is still unclear whether these incidents are directly connected to the breach. CNET contacted Coinbase for a response, but no comment was issued at the time.

Steps to Protect Your Crypto and Data
Although Coinbase has confirmed that seed phrases and investor accounts remain secure, the exposure of personal data is significant. Here’s what you should do now to safeguard your information:

1. Use a Cold Wallet
security, coldwallet, hardwarewallet, cryptoassets
For regular crypto investors, shifting funds to a cold wallet—a device not connected to the internet—can provide an extra layer of security in case of future breaches

2. Freeze Your Credit Reports
creditfreeze, SSN, financialsecurity
Freeze your credit reports with all three major bureaus and consider placing a lock on your Social Security number to prevent identity misuse. Be cautious of phishing attempts that may exploit this situation.

"It's worth the hassle of setting up accounts with all three major credit bureaus. I get peace of mind at zero cost to me," said Danni Santana, CNET’s identity theft editor.

3. Notify Your Bank
banking, accountsecurity, financialfraud
Even if only partial account information was exposed, contact your bank to report the incident. You may want to open new checking or savings accounts as a precaution.

4. Enroll in Identity Monitoring Services
identitytheft, monitoring, datasecurity, insurance
Opt into a free credit and identity monitoring service. While these platforms don’t take direct action, they provide alerts if your data appears on the dark web. Paid services like Aura go further, offering identity restoration support and up to $1 million in identity theft insurance.
Read more »
Scam
Browser confidential documents Cyber Security Emails phishing Scam

When Trusted Sites Turn Dangerous: How Hackers Are Fooling Users

 


A recent cyberattack has revealed how scammers are now using reliable websites and tailored links to steal people's login credentials. This new method makes it much harder to spot the scam, even for trained eyes.


How It Was Caught

A cybersecurity team at Keep Aware was silently monitoring browser activity to observe threats in real time. They didn’t interrupt the users — instead, they watched how threats behaved from start to finish. That’s how they noticed one employee typed their login details into a suspicious page.

This alert led the team to investigate deeper. They confirmed that a phishing attack had occurred and quickly took action by resetting the affected user’s password and checking for other strange activity on their account.

What stood out was this: the phishing page didn’t come from normal browsing. The user likely clicked a link from their email app, meaning the scam started in their inbox but took place in their browser.


How the Scam Worked

The employee landed on a real, long-standing website known for selling outdoor tents. This site was over 9 years old and had a clean online reputation. But cybercriminals had broken in and added a fake page without anyone noticing.

The page showed a message saying the user had received a “Confidential Document” and asked them to type in their email to view a payment file. This is a typical trick — creating a sense of urgency to get the person to act without thinking.


Tactics Used by Hackers

The fake page was designed to avoid being studied by experts. It blocked right-clicking and common keyboard shortcuts so that users or researchers couldn’t easily inspect it.

It also had smart code that responded to how the person arrived. If the phishing link already included the target’s email address, the page would automatically fill it in. This made the form feel more genuine and saved the user a step — making it more likely they’d complete the action.

This technique also allowed attackers to keep track of which targets clicked and which ones entered their information.


Why It Matters

This attack shows just how advanced phishing scams have become. By using real websites, targeted emails, and smooth user experiences, scammers are getting better at fooling people.

To stay safe, always be cautious when entering personal information online. Even if a site looks familiar, double-check the web address and avoid clicking suspicious email links. If something feels off, report it before doing anything else.


Read more »
Trojan
AItools CapCut Cybersecurity Darkweb Infostealer malware Noodlophile phishing Ransomware RAT Spyware Telegrambot Trojan

New AI Video Tool Scam Delivers Noodlophile Malware to Steal Your Data

 

Cybercriminals are using fake AI-powered video generation tools to spread a newly discovered malware strain called ‘Noodlophile’, disguised as downloadable media content.

Fraudulent websites with names like "Dream Machine" are being promoted in high-visibility Facebook groups, pretending to be advanced AI tools that can generate videos from user-uploaded files. However, these platforms are actually fronts for distributing information-stealing malware.

While cybercriminals leveraging AI for malware distribution isn't new, Morphisec researchers have uncovered a fresh campaign that introduces this new infostealer. “Noodlophile” is currently being sold on dark web forums, frequently bundled with services like "Get Cookie + Pass," indicating it's part of a malware-as-a-service operation linked to Vietnamese-speaking threat actors.

Once a victim uploads their file to the fake site, they receive a ZIP archive that supposedly contains the generated video. Instead, the archive includes a misleading executable named "Video Dream MachineAI.mp4.exe" and a hidden folder housing essential files for subsequent malware stages. On systems with file extensions hidden, the file could appear to be a harmless video.

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," explains Morphisec.

This executable is actually a modified version of CapCut, a legitimate video editing software (version 445.0), and the naming and certificate are used to deceive both users and antivirus software.

Once run, the file executes a sequence of commands that launch a batch script (Document.docx/install.bat). This script then uses the Windows tool 'certutil.exe' to decode and extract a base64-encoded, password-protected RAR file that mimics a PDF. It also adds a registry key to maintain persistence on the system.

The batch script then runs srchost.exe, which executes an obfuscated Python script (randomuser2025.txt) from a hardcoded remote server. This leads to the in-memory execution of the Noodlophile stealer.

If Avast antivirus is found on the system, the malware uses PE hollowing to inject its code into RegAsm.exe. If not, it resorts to shellcode injection.

"Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment," explains the Morphisec researchers.

The malware targets data like browser credentials, session cookies, tokens, and cryptocurrency wallets. Stolen information is sent through a Telegram bot, acting as a stealthy command and control (C2) channel. In some cases, Noodlophile is also packaged with XWorm, a remote access trojan (RAT), enabling more aggressive data theft.

How to Stay Safe:
  • Avoid downloading files from unverified websites.
  • Double-check file extensions—don’t trust names alone.
  • Always run downloads through a reliable, up-to-date antivirus tool before executing.


Read more »
phishing
ceasefire Cyber Attacks Cybersecurity DDoS disinformation Hacking India Infrastructure Pakistan phishing

Cyber Warfare After Pahalgam: Over 1.5 Million Cyberattacks Target Indian Infrastructure

 

Following the Pahalgam terror incident, India experienced a massive wave of cyberattacks launched by hostile hacker groups operating from Pakistan, Bangladesh, Indonesia, and parts of the Middle East. As per a detailed investigation by the Maharashtra Cyber Cell, over 1.5 million cyber intrusions targeted Indian websites and digital systems in a deliberate, coordinated assault meant to disrupt national infrastructure and spread psychological unrest.

According to a government report titled “Road of Sindoor,” the cyber onslaught was a retaliatory move against India’s military operation conducted under the same name. The attacks aimed at government portals, municipal databases, aviation systems, and other vital infrastructure.

Despite the scale of the offensive, only 150 of the attacks showed limited success, marking a mere 0.01% success rate. This reflects India’s growing cyber resilience and the relatively low effectiveness of these foreign cyber operatives.

7 Pakistani-Backed Hacker Groups Identified

The Maharashtra Cyber Cell report identified seven key hacker groups orchestrating the campaign:
  • APT 36
  • Pakistan Cyber Force
  • Team Insane PK
  • Mysterious Bangladesh
  • Indo Hacks Sec
  • Cyber Group HOAX 1337
  • National Cyber Crew (Pakistan-allied)
These collectives employed tactics such as DDoS attacks, malware deployment, GPS spoofing, and website defacements. One of the more visible intrusions was the defacement of the Kulgaon Badlapur Municipal Council website. Additionally, several unverified claims circulated online, alleging cyber breaches of the Mumbai airport systems and telecom infrastructures.

More concerning was the coordinated use of disinformation, which sought to falsely portray that India's banking sector, power grid, and satellite systems had been compromised. The report revealed that over 5,000 fake social media posts linked to the India-Pakistan conflict were detected and removed.

Ceasefire Didn’t Halt Cyber Assaults

Even as a ceasefire agreement remained in place between India and Pakistan, cyber offensives continued, especially from Bangladesh, Indonesia, and allied Middle Eastern entities. While officials observed a decline in attack frequency post-ceasefire, they confirmed that the attacks never fully stopped.

Authorities stated, “These campaigns weren’t amateur attempts. They were designed to destabilize. Though thwarted, they signal a persistent digital threat landscape India must be prepared for.”

State and national intelligence units are now working in tandem to bolster surveillance, reinforce cybersecurity protocols, and pre-empt future threats.

The “Road of Sindoor” report has been formally shared with the Director General of Police, the State Intelligence Department, and other key law enforcement bodies, affirming India’s strategic focus on digital sovereignty and cybersecurity preparedness.
Read more »
SSA
Cybersecurity Datatheft Fraud IdentityTheft malware phishing remotetool Scam screenconnect SSA

Cybercriminals Target Social Security Users with Sophisticated Phishing Scam

 

A new wave of phishing attacks is exploiting public trust in government agencies. Cybercriminals are sending fraudulent emails that appear to come from the Social Security Administration (SSA), aiming to trick recipients into downloading a remote access tool that gives hackers full control over their computers, according to a report by Malwarebytes.

The scam emails, often sent from compromised WordPress websites, claim to offer a downloadable Social Security statement. However, the entire message is typically embedded as an image—a tactic that allows it to bypass most email filters. Clicking on the link initiates the installation of ScreenConnect, a powerful malware tool that enables attackers to infiltrate your device remotely.

The campaign has been attributed to a phishing group known as Molatori, whose goal is to extract personal, banking, and other sensitive information. “Once in, the attackers can steal your data, commit financial fraud, and engage in identity theft,” the report warns.

To avoid falling victim, experts suggest staying alert to red flags. These scam emails often contain poor grammar, missing punctuation, strange formatting, and unusual colour schemes for links. Such errors—evident in screenshots shared by Malwarebytes and the SSA—are clear signs of a scam, even as AI-driven tactics make phishing attempts more convincing than ever.

“If you want to view your Social Security statement, the safest option is to visit ssa.gov,” the SSA advises.

What to Do If  You're Targeted:

  • Cut off all communication with the scammer
  • Report the incident to the SSA Office of the Inspector General (OIG)
  • File a report with your local police
  • If you've lost money, submit a complaint to the FBI’s Internet Crime Complaint Center (IC3)

As phishing threats continue to evolve, cybersecurity awareness remains your best defense.


Read more »
phishing
Business Security cloud hosting cookie theft Credential Theft Cybersecurity Data Breach fake alerts Meta OTP phishing

Meta Mirage” Phishing Campaign Poses Global Cybersecurity Threat to Businesses

 

A sophisticated phishing campaign named Meta Mirage is targeting companies using Meta’s Business Suite, according to a new report by cybersecurity experts at CTM360. This global threat is specifically engineered to compromise high-value accounts—including those running paid ads and managing brand profiles.

Researchers discovered that the attackers craft convincing fake communications impersonating official Meta messages, deceiving users into revealing sensitive login information such as passwords and one-time passcodes (OTP).

The scale of the campaign is substantial. Over 14,000 malicious URLs were detected, and alarmingly, nearly 78% of these were not flagged or blocked by browsers when the report was released.

What makes Meta Mirage particularly deceptive is the use of reputable cloud hosting services—like GitHub, Firebase, and Vercel—to host counterfeit login pages. “This mirrors Microsoft’s recent findings on how trusted platforms are being exploited to breach Kubernetes environments,” the researchers noted, highlighting a broader trend in cloud abuse.

Victims receive realistic alerts through email and direct messages. These notifications often mention policy violations, account restrictions, or verification requests, crafted to appear urgent and official. This strategy is similar to the recent Google Sites phishing wave, which used seemingly authentic web pages to mislead users.

CTM360 identified two primary techniques being used:
  • Credential Theft: Victims unknowingly submit passwords and OTPs to lookalike websites. Fake error prompts are displayed to make them re-enter their information, ensuring attackers get accurate credentials.
  • Cookie Theft: Attackers extract browser cookies, allowing persistent access to compromised accounts—even without login credentials.
Compromised business accounts are then weaponized for malicious ad campaigns. “It’s a playbook straight from campaigns like PlayPraetor, where hijacked social media profiles were used to spread fraudulent ads,” the report noted.

The phishing operation is systematic. Attackers begin with non-threatening messages, then escalate the tone over time—moving from mild policy reminders to aggressive warnings about permanent account deletion. This psychological pressure prompts users to respond quickly without verifying the source.

CTM360 advises businesses to:
  • Manage social media accounts only from official or secure devices
  • Use business-specific email addresses
  • Activate Two-Factor Authentication (2FA)
  • Periodically audit security settings and login history
  • Train team members to identify and report suspicious activity
This alarming phishing scheme highlights the need for constant vigilance, cybersecurity hygiene, and proactive measures to secure digital business assets.
Read more »
Subscribe to: Posts (Atom)