CyberSecurity news
FlagThis - #Phishing
|
@cyberalerts.io
//
North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.
The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server. This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape. Recommended read:
References :
@securebulletin.com
//
References:
securebulletin.com
, securityonline.info
,
A new multi-platform malware campaign is targeting organizations in Southern Europe, specifically Spain, Italy, and Portugal, through sophisticated phishing emails. This campaign leverages weaponized PDF invoices to deliver a Java-based Remote Access Trojan (RAT) known as RATty. The attack begins with emails that bypass SPF/DKIM checks by abusing Spain's serviciodecorreo.es email service, allowing forged sender addresses to appear legitimate. The emails contain a PDF attachment mimicking an invoice from Medinova Health Group, enticing recipients to click a Dropbox link.
This link redirects victims to an HTML file (Fattura.html) that initiates a multi-stage verification process, including a fake CAPTCHA, to further deceive the user. The HTML file then utilizes Ngrok tunneling to dynamically switch content based on the victim's geolocation. If the request originates from Italy, the user is redirected to MediaFire to download a malicious Java Archive (JAR) file named FA-43-03-2025.jar. Users outside of Italy are redirected to benign Google Drive documents, effectively bypassing automated sandboxes typically hosted in cloud regions outside Italy. The final JAR file contains the RATty malware, a cross-platform Remote Access Trojan that exploits Java's capabilities to grant attackers extensive control over the compromised system. This includes remote command execution, keystroke logging, screenshot capture, and data exfiltration. The attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution. Organizations are advised to update endpoint protection tools to defend against this evolving phishing tactic. Recommended read:
References :
@cyberalerts.io
//
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.
Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain. The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems. Recommended read:
References :
@cyberpress.org
//
A joint investigation by SentinelLABS and Validin has exposed a massive cryptocurrency phishing operation named "FreeDrain." This industrial-scale network has been siphoning digital assets for years by exploiting weaknesses in free publishing platforms. FreeDrain utilizes aggressive SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, along with sophisticated layered redirection techniques to lure unsuspecting victims. The operation's primary goal is to steal cryptocurrency wallet login credentials and seed phrases, often resulting in rapid fund exfiltration.
FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials. Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Google is integrating its Gemini Nano AI model into the Chrome browser to provide real-time scam protection for users. This enhancement focuses on identifying and blocking malicious websites and activities as they occur, addressing the challenge posed by scam sites that often exist for only a short period. The integration of Gemini Nano into Chrome's Enhanced Protection mode, available since 2020, allows for the analysis of website content to detect subtle signs of scams, such as misleading pop-ups or deceptive tactics.
When a user visits a potentially dangerous page, Chrome uses Gemini Nano to evaluate security signals and determine the intent of the site. This information is then sent to Safe Browsing for a final assessment. If the page is deemed likely to be a scam, Chrome will display a warning to the user, providing options to unsubscribe from notifications or view the blocked content while also allowing users to override the warning if they believe it's unnecessary. This system is designed to adapt to evolving scam tactics, offering a proactive defense against both known and newly emerging threats. The AI-powered scam detection system has already demonstrated its effectiveness, reportedly catching 20 times more scam-related pages than previous methods. Google also plans to extend this feature to Chrome on Android devices later this year, further expanding protection to mobile users. This initiative follows criticism regarding Gmail phishing scams that mimic law enforcement, highlighting Google's commitment to improving online security across its platforms and safeguarding users from fraudulent activities. Recommended read:
References :
@ai-techpark.com
//
SpyCloud, a leading identity threat protection company, released an analysis on May 7th, 2025, revealing that a staggering 94% of Fortune 50 companies have had employee identity data exposed due to phishing attacks. The analysis is based on nearly 6 million phished data records recaptured from the criminal underground over the last six months. These findings highlight the growing scale and sophistication of phishing attacks, with cybercriminals increasingly targeting high-value identity data for follow-on attacks such as ransomware, account takeover, and fraud. The data provides valuable insights for organizations to enhance their defenses, improve user training, and prevent identity-based attacks.
Nearly 82% of phishing victims had their email credentials compromised in prior data breaches, according to SpyCloud's analysis. This gives attackers a critical advantage, emphasizing the importance of monitoring and securing compromised credentials. The exposed data often includes email addresses (81% of records), IP addresses (42%), and user-agent information (31%) which identifies device and browser details. The top industries impersonated in phishing campaigns include telecommunications, IT, and financial services, highlighting the specific targets of these malicious activities. To combat the escalating phishing threat, Brian Jack, chief information security officer at KnowBe4, a partner of SpyCloud, emphasizes the need for ongoing security awareness training and swift, targeted action to remediate exposures. He stated that "Combining human vigilance with actionable intelligence is the most effective way to stop phishing in its tracks – and prevent it from opening the door to broader cyberattacks.” The rise of phishing attacks is attributed to cybercriminals modernizing their tactics and evolving campaigns into industrial-scale operations, aided by phishing-as-a-service (PhaaS) platforms and AI. Recommended read:
References :
@arcticwolf.com
//
Arctic Wolf Labs has identified a spear-phishing campaign orchestrated by the financially motivated threat group known as Venom Spider. The campaign targets hiring managers by abusing legitimate messaging services and job platforms. Attackers submit fake job applications with malicious resumes, leveraging an updated backdoor called More_eggs.
The fake resumes are designed to deliver the More_eggs backdoor onto the devices of unsuspecting HR personnel. Once installed, the backdoor allows the attackers to perform a variety of malicious activities, including stealing credentials, customer payment data, intellectual property, and trade secrets. Arctic Wolf warns that the updated More_eggs malware is more sophisticated, making it harder to detect than previous versions. They advise CISOs to warn HR staff about this ongoing threat and implement measures to identify and block these malicious resumes. Notably, threat actors are using msxsl.exe, a legitimate Microsoft Command Line Transformation Utility to execute the backdoor. Recommended read:
References :
@gbhackers.com
//
Cybercriminals are increasingly leveraging adversary-in-the-middle (AiTM) attacks with reverse proxies to bypass multi-factor authentication (MFA), a security measure widely adopted to protect against unauthorized access. This sophisticated technique allows attackers to intercept user credentials and authentication cookies, effectively neutralizing the added security that MFA is designed to provide. Instead of relying on simple, fake landing pages, attackers position reverse proxies between the victim and legitimate web services, creating an authentic-looking login experience. This method has proven highly effective in capturing sensitive information, as the only telltale sign might be a subtle discrepancy in the browser's address bar.
The proliferation of Phishing-as-a-Service (PhaaS) toolkits has significantly lowered the barrier to entry for executing these complex attacks. Platforms like Tycoon 2FA and Evilproxy offer ready-made templates for targeting popular services and include features like IP filtering and JavaScript injection to evade detection. Open-source tools such as Evilginx, originally intended for penetration testing, have also been repurposed by malicious actors, further exacerbating the problem. These tools provide customizable reverse proxy capabilities that enable even novice cybercriminals to launch sophisticated MFA bypass campaigns. To combat these evolving threats, security experts recommend that organizations reassess their current MFA strategies and consider adopting more robust authentication methods. WebAuthn, a passwordless authentication standard utilizing public key cryptography, offers a potential solution by eliminating password transmission and rendering server-side authentication databases useless to attackers. Additionally, organizations should implement measures to detect unusual session behavior, monitor for newly registered domains, and analyze TLS fingerprints to identify potential AiTM activity. By staying vigilant and adapting their security strategies, organizations can better defend against these advanced phishing techniques and protect their valuable assets. Recommended read:
References :
Shivani Tiwari@cysecurity.news
//
Cybersecurity firm Bitdefender has issued a warning about a significant increase in subscription scams that are cleverly disguised as legitimate online stores and enticing mystery boxes. This new wave of scams is characterized by its unprecedented sophistication, employing high-quality website design, targeted advertising, and social media exploitation to deceive unsuspecting users. Over 200 fake retail sites have been identified as part of this operation, all designed to harvest credit card data and personal information from victims globally. These sites offer a wide range of products, including clothing, electronics, and beauty items, making it harder for users to distinguish them from genuine e-commerce platforms.
This scam network leverages social media platforms, particularly Facebook, where cybercriminals deploy sponsored ads and impersonate content creators to lure victims. A key component of this fraud is the evolution of the "mystery box" scam, which promises surprise items for a nominal fee but conceals hidden subscription models in the fine print. Victims are often unknowingly enrolled in recurring payment plans, with charges ranging up to 44 EUR every 14 days, disguised as loyalty benefits or exclusive shopping privileges. The scammers exploit the human fascination with the unknown, offering boxes supposedly left at post offices or bags found at airports, requiring a small payment to claim ownership, with the primary objective being collecting financial information. Bitdefender's investigation reveals that these schemes utilize complex payment structures and convoluted terms to confuse users, transforming a seemingly one-time purchase into recurring charges. To evade detection, scammers employ techniques such as multiple ad versions, Google Drive-hosted images for easy replacement, cropped visuals to bypass pattern recognition, and homoglyph tactics to obscure malicious intent. Many of these fraudulent sites remain active, continuously targeting users globally, with specific campaigns observed in Romania, Canada, and the United States. The connection between these scams and a Cyprus-registered address raises suspicions of a coordinated operation involving offshore entities. Recommended read:
References :
Bill Toulas@BleepingComputer
//
The FBI has released a comprehensive list of 42,000 phishing domains linked to the LabHost cybercrime platform. LabHost, a major phishing-as-a-service (PhaaS) platform, was dismantled in April 2024. The extensive list is designed to aid cybersecurity professionals and organizations in strengthening their defenses against phishing attacks. The domains were registered between November 2021 and April 2024, providing a historical record for threat detection.
This release offers a unique opportunity to bolster cybersecurity defenses and enhance threat detection strategies. By integrating these domains into existing security frameworks, organizations can proactively thwart potential threats. Retrospective analysis of logs from November 2021 to April 2024 can uncover previously undetected breaches, allowing organizations to address vulnerabilities. The list serves as a valuable resource for training phishing detection models, improving their accuracy and effectiveness. The release of the 42,000 domains allows for the creation of comprehensive blocklists to mitigate the risk of threat actors reusing or re-registering these domains. Cybersecurity experts can analyze domain patterns to gain insights into the operations of PhaaS platforms like LabHost. This correlation of intelligence can aid in understanding the tactics, techniques, and procedures (TTPs) employed by cybercriminals, thereby enhancing the ability to predict and counter future threats. Recommended read:
References :
@securityonline.info
//
A new malware campaign is targeting WordPress websites by using a plugin disguised as a security tool. The malicious plugin, often named 'WP-antymalwary-bot.php', provides attackers with administrator access to compromised sites, all while remaining hidden from the WordPress admin dashboard. The Wordfence Threat Intelligence team discovered this threat in late January 2025 during a site cleanup, revealing the plugin's ability to maintain access, execute remote code, and inject malicious JavaScript. Other names associated with the plugin include addons.php, wpconsole.php, and wp-performance-booster.php, underscoring the campaign's wide reach and adaptability.
The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site. Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new malware campaign is targeting WordPress sites, employing a malicious plugin disguised as a security tool to trick users into installing and trusting it. This plugin, often named 'WP-antymalwary-bot.php,' provides attackers with persistent access, remote code execution, and JavaScript injection, while remaining hidden from the plugin dashboard to evade detection. The malware was first discovered in late January 2025 during a site cleanup, where a modified 'wp-cron.php' file was found, which creates and programmatically activates the malicious plugin.
Cybercriminals are specifically targeting WooCommerce users with a large-scale phishing campaign, aiming to gain backdoor access to WordPress websites. The malicious plugin appears legitimate at first glance, complete with header comments, code indentation, and professional structure. However, it contains a backdoor function that allows attackers to log in as the first administrator user by sending a crafted GET request. This allows them to gain administrative access and inject PHP code into theme files, such as header.php, via a REST API route registered without any permission checks. The malware enhances its stealth through various methods, including hiding itself from the WordPress Admin Dashboard using the 'hide_plugin_from_list' function. It also communicates with a Command & Control (C2) server, sending periodic "ping" updates to inform the attacker about its operational status. Furthermore, the malware injects malicious JavaScript ads into the site's pages using obfuscated methods and scripts retrieved from compromised external resources. Even if the plugin is deleted, the modified 'wp-cron.php' file reinstalls and reactivates it during the next site visit, ensuring persistence on a compromised site. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.
The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion. Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme. Recommended read:
References :
@computerworld.com
//
The Darcula phishing-as-a-service (PhaaS) platform has recently integrated generative AI capabilities, marking a significant escalation in phishing threats. This update allows even individuals with limited technical skills to create highly convincing phishing pages at an unprecedented speed and scale. Security researchers spotted the update on April 23, 2025, noting that the addition of AI makes it simple to generate phishing forms in any language and translate them for new locations, simplifying the process to build tailored phishing pages with multi-language support and form generation — all without any programming knowledge.
The new AI-assisted features amplify Darcula's threat potential and include tools for customizing input forms and enhancing the layout and visual styling of cloned websites, according to Netcraft. The service allows users to provide a URL for any legitimate brand or service, after which Darcula downloads all of the assets from the legitimate website and creates a version that can be edited. Subscribers can then inject phishing forms or credential captures into the cloned website, which looks just like the original. The integration of generative AI streamlines this process, enabling less tech-savvy criminals to deploy customized scams in minutes. This development lowers the technical barrier for creating phishing pages and is considered to be 'democratizing cybercrime'. Netcraft, a cybersecurity company, has reported taking down more than 25,000 Darcula pages and blocking nearly 31,000 IP addresses since March 2024. The Darcula suite uses iMessage and RCS to send text messages, which allows the messages to bypass SMS firewalls. Because of this, enterprise security teams now face an immediate escalation in phishing threats. Recommended read:
References :
Shira Landau@Email Security - Blog
//
A sophisticated phishing campaign is currently targeting Microsoft Office 365 users, leveraging OAuth application functionality to bypass traditional security measures and enterprise-grade spam filters. Attackers are creating applications with embedded phishing messages as the app name, allowing them to generate properly signed security notifications that appear legitimate. These deceptive emails bypass email authentication checks and appear to come from official "no-reply" addresses, successfully navigating through standard email security checks and creating a significant deception that threatens enterprise security frameworks. Security leaders are urged to reassess their defense strategies to address these emerging threats that specifically target authentication mechanisms.
Attackers register a domain and create an associated account to establish their malicious operation. They then create an OAuth app with the phishing message embedded in the app name. Granting their newly created account access to this OAuth app generates a properly signed security notification. This authenticated message is then forwarded to potential victims, directing them to fake sign-in pages that function as credential harvesting mechanisms under the guise of legitimate support pages. These pages, hosted on legitimate subdomains of the email service provider, prompt users to "upload additional documents" or "view case," both leading to credential harvesting. The "SessionShark" phishing kit is also being used to target Microsoft Office 365 accounts, designed to bypass multi-factor authentication (MFA) by stealing session tokens. This kit operates as an adversary-in-the-middle, intercepting login credentials and user session tokens. It creates a webpage that closely mimics the legitimate Microsoft Office 365 login interface, dynamically adapting to various conditions to increase believability. Once a victim submits their credentials, including completing MFA, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration. Recommended read:
References :
|