FILTERING BY: CLEAR FILTER

AMOS Stealer Deployment via ClickFix Social Engineering on macOS

Threat actors are deploying the AMOS Stealer on macOS by adapting the "ClickFix" social engineering technique. The attack leverages browser-based lures masquerading as AI tool errors (e.g., ChatGPT, Grok), prompting users to manually copy and execute a malicious command in the macOS Terminal. This sequence bypasses browser security and Gatekeeper by utilizing curl or wget to download a DMG file, which is then silently mounted via hdiutil. The primary objective is the exfiltration of browser passwords, session cookies, and cryptocurrency wallets.

Extradition of Alleged Scattered Spider Member Peter Stokes

The extradition of 19-year-old Peter Stokes from Finland to the United States marks a significant law enforcement milestone against the Scattered Spider threat actor group. Stokes, a dual U.S. and Estonian citizen, faces charges of conspiracy, computer intrusion, and fraud in the Northern District of Illinois. The group is recognized for advanced social engineering, identity theft, and unauthorized system access through fraudulent authentication bypasses. This apprehension demonstrates the increasing efficacy of international judicial cooperation in targeting digitally native operatives who exploit transnational boundaries to facilitate high-impact intrusion campaigns against enterprise environments.

Check Point 2026 Exposure Gap Report: AI-Driven Vulnerability Inflation

The report identifies "AI-Driven Vulnerability Inflation," a phenomenon where AI-augmented threat actors and automated discovery tools have doubled the volume of critical CVE discoveries. This surge has significantly degraded the signal-to-noise ratio within Security Operations Centers (SOCs), as fewer than 8.3% (1 in 12) of reported critical vulnerabilities require immediate remediation. The disconnect between high-level AI security governance and actual technical enforcement capabilities is widening a critical "exposure gap," overwhelming frontline defenders with low-priority alerts and high-velocity exploit payloads generated via Large Language Models (LLMs).

Malicious Chromium Extension Spoofing Perplexity AI for Real-Time Data Exfiltration

A malicious Chromium extension masquerading as a Perplexity AI tool leveraged Manifest V3 (MV3) APIs to intercept and log real-time address bar keystrokes before user submission. By implementing a redirection pattern (User $\rightarrow$ Attacker Intermediary $\rightarrow$ Legitimate Search Provider), the threat actor captured sensitive queries, PII, and credentials without disrupting the user experience. This human-layer attack highlights a critical governance gap in browser extension auditing, allowing for silent reconnaissance and intellectual property theft within corporate environments via attacker-controlled intermediary infrastructure.

UNC3753: Hybrid Vishing and Physical Infiltration via RMM Tools

UNC3753, also identified as the Silent Ransom Group, is conducting a sophisticated hybrid extortion campaign targeting United States law firms. The threat actor bypasses traditional digital perimeters by combining voice phishing (vishing) with physical social engineering to gain onsite access to office premises. Once physical access is achieved, the actors deploy Remote Monitoring and Management (RMM) tools to establish persistent command-and-control (C2) capabilities. This facilitates the targeted exfiltration of sensitive legal documentation and attorney-client privileged data, which is subsequently leveraged for financial extortion. This campaign represents a critical risk to data confidentiality, physical security protocols, and professional privilege.

CrowdStrike: North Korean Operatives Infiltrating U.S. Tech Industry

CrowdStrike identifies North Korean state-sponsored actors, primarily the FAMOUS CHOLLIMA cluster, as responsible for approximately 47% of all "hands-on-keyboard" operations targeting the U.S. technology sector [1]. The threat actors utilize fraudulent remote employment personas, augmented by AI-generated resumes and stolen PII, to circumvent remote KYC and background checks. To maintain stealthy persistence, operatives deploy U.S.-based "laptop farms" utilizing PiKVM hardware for BIOS-level control and Tailscale mesh VPNs for encrypted C2 communication [2]. These operations focus on high-value intellectual property exfiltration and cryptocurrency theft to finance DPRK weapons development.

US Seizure of China-Linked Front Companies Centrik Global and Rightinfo

The U.S. Department of Justice (DOJ) and FBI disabled 13 domains associated with a Chinese intelligence operation utilizing front companies, including Centrik Global and Rightinfo, to conduct social engineering attacks against U.S. government and military personnel. Since November 2023, threat actors leveraged AI-generated personas and professional freelance platforms to recruit targets for "consulting" roles. The campaign transitioned victims to Telegram and used cryptocurrency for payments to incentivize the exfiltration of sensitive national security data and classified research. Remediation involved the legal seizure of infrastructure and a wide-scale Army advisory distributed to over one million personnel.

Silent Ransom Group UNC3753 Leverages AnyDesk, Zoho Assist, and iManage to Target U.S. Law Firms

The threat actor known as Silent Ransom Group (UNC3753, also referred to as Luna Moth) is conducting high-tempo extortion campaigns against U.S. law and professional services firms. The attack chain utilizes spearphishing and vishing (T1566.004) to trick personnel into installing Remote Monitoring and Management (RMM) tools such as AnyDesk and SuperOps. Attackers then exploit BYOD endpoints to gain access to corporate Virtual Desktop Infrastructure (VDI), including Windows 365 and Citrix environments. Once inside, the group performs surgical data harvesting from document management systems like iManage, targeting PII and tax logs. The campaign is characterized by rapid execution—often completing the lifecycle within a single business day—and includes physical USB-based exfiltration.

Breach of French Government Messaging Platform Tchap

A multi-vector security breach has compromised Tchap, the mandated secure communication platform for approximately 300,000 French public servants. The incident originated from a successful social engineering attack that allowed a threat actor to hijack a legitimate employee account. Following the takeover, the actor claimed the exfiltration of 650,000 messages, 73,000 account records, and 13.5GB of files. Furthermore, secondary allegations suggest a technical vulnerability exists within the platform, potentially allowing unauthenticated access to media files. This breach underscores the critical risk of identity-based exploitation and the compounding danger of secondary technical vulnerabilities in government-mandated communication infrastructures.

The CypherLoc Kit: Advanced Browser-Locking Scareware Campaign

Since the beginning of 2026, threat actors have deployed the CypherLoc Kit, a sophisticated browser-based scareware tool that has orchestrated approximately 2.8 million attacks. The kit leverages intense social engineering by locking a user's web browser and displaying fraudulent, high-pressure Microsoft support alerts designed to funnel victims toward malicious technical support lines. By executing encrypted, environment-aware code directly within the browser, CypherLoc effectively bypasses traditional endpoint security and sandbox analysis that rely on malicious file detection. Organizations must prioritize browser security posture and enhanced user awareness training to mitigate the risks of these highly evasive, non-file-based social engineering campaigns.

The Rise of DeepPhish: The Multi-Modal AI-Driven Social Engineering Threat

This report analyzes the emergence of "DeepPhish," a sophisticated social engineering paradigm that leverages generative AI to transition from text-based deception to multi-modal identity impersonation. As attackers integrate synthesized audio, video, and context-aware text, the threat landscape shifts from simple phishing to high-fidelity impersonation targeting critical enterprise and financial infrastructure.


LINK COPIED TO CLIPBOARD