CyberSecurity news

FlagThis - #cyble

@cyble.com //
Cyble threat intelligence researchers have uncovered a global phishing campaign leveraging the LogoKit phishing kit. This sophisticated kit is being used to target government, banking, and logistics sectors. The initial discovery stemmed from a phishing link mimicking the Hungary CERT login page, highlighting the campaign's ability to impersonate legitimate websites to steal credentials.

The LogoKit is designed to enhance credibility and increase the likelihood of successful credential theft. The phishing attacks often embed the victim's email address in the URL, pre-filling the username field on the spoofed login page. This personalized approach, combined with the kit's ability to dynamically generate convincing phishing pages, makes it a potent threat. CRIL analyzes show that the kit uses brand assets from Clearbit and Google Favicon to create realistic-looking login pages.

These phishing campaigns are part of a larger trend of surging identity attacks. Reports indicate a significant increase in cyberattacks targeting user logins. Cybercriminals are increasingly turning to sophisticated phishing-as-a-service platforms to conduct BEC schemes and ransomware disasters. Organizations should implement strong DNS security measures to protect against such threats.

Recommended read:
References :
  • thecyberexpress.com: Cyble threat intelligence researchers identified a phishing campaign aimed at Hungarian government targets that further investigation revealed was connected to wider global attack campaigns targeting the banking and logistics sectors.
  • cyble.com: The initial phishing link we identified mimicked the Hungary CERT login page, with the victim's email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission.
  • The Register - Security: Phishing platforms, infostealers blamed as identity attacks soar
  • cyble.com: Cyble's blog post on the LogoKit phishing campaign being leveraged for credential theft.
  • Security Risk Advisors: 🚩 Active LogoKit Phishing Campaign Harvests Credentials Through Automated Brand Impersonation on Cloud Infrastructure

@www.dhs.gov //
Following U.S. airstrikes on Iranian nuclear sites on June 21, 2025, a wave of cyberattacks has been launched against U.S. organizations by Iran-aligned hacktivist groups. Cyble threat intelligence researchers reported that in the first 24 hours after the strikes, 15 U.S. organizations and 19 websites were targeted with DDoS attacks. Groups such as Mr Hamza, Team 313, Keymous+, and Cyber Jihad have claimed responsibility, targeting U.S. Air Force websites, aerospace and defense companies, and financial services organizations.

The attacks have been framed as retaliation for U.S. involvement in the ongoing Israel-Iran conflict, with the groups using the hashtag #Op_Usa to deface websites and leak credentials. The U.S. Department of Homeland Security (DHS) issued a bulletin on June 22, 2025, warning of likely low-level cyber attacks against U.S. networks by pro-Iranian hacktivists, noting that cyber actors affiliated with the Iranian government may also conduct attacks. This warning highlights the escalating cyber warfare activity between the two nations.

In a notable incident, Donald Trump's social media platform, Truth Social, was paralyzed by a DDoS attack just hours after the U.S. airstrikes. The hacker group “313 Team” claimed responsibility, stating the attack was in response to President Trump's announcement of the successful strikes on Iranian nuclear sites. The DHS emphasizes that this cyber activity reflects an increasing shift of geopolitical tensions into the digital space, further intensifying the cyber security concerns.

Recommended read:
References :
  • The Hacker News: The United States government has warned of cyber attacks mounted by pro-Iranian groups after it launched airstrikes on Iranian nuclear sites as part of the Iran–Israel war that commenced on June 13, 2025.
  • www.cybersecuritydive.com: Federal officials are warning that pro-Iran hacktivists or state-linked actors may target poorly secured U.S. networks.
  • www.scworld.com: Feds tell companies to prepare for cyberattacks on U.S. systems.
  • Cyber Florida at USF: CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity
  • cyble.com: The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.
  • thecyberexpress.com: Iran-aligned hacktivists launched DDoS attacks against 15 U.S. organizations and 19 websites in the first 24 hours after the U.S. bombed Iranian nuclear targets on June 21, Cyble threat intelligence researchers reported today.
  • www.dhs.gov: U.S. entry into the conflict has drawn retaliation from hacktivist groups, with attack claims ranging from credible to questionable. In the wake of the U.S. involvement, the Department of Homeland Security (DHS) on June 22 that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and affiliated with the Iranian government may conduct attacks against US networks.
  • www.esecurityplanet.com: US Warns of Iranian Cyber Threats as Tensions Rise Over Middle East Conflict
  • www.cybersecuritydive.com: DHS Warns of Heightened Cyber Threat as US Enters Iran Conflict
  • techcrunch.com: Homeland Security warns of Iran-backed cyberattacks targeting US networks

@x.com //
The ongoing Israel-Iran conflict has expanded into cyberspace, marked by a surge in hacktivist activity and the deployment of new malware campaigns. Pro-Israel and pro-Iranian groups are actively engaging in cyberattacks, including DDoS attacks, website defacements, and data breaches, targeting organizations within each other's territories. This digital warfare mirrors the escalating military tensions between the two nations, turning the internet into a covert combat zone.

Amidst this cyber conflict, a pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for hacking Bank Sepah, a major Iranian financial institution. Predatory Sparrow alleges that the bank was used to circumvent international sanctions and finance the Iranian regime's military activities. While independent verification of the attack is pending, reports have emerged of banking disruptions and closed Bank Sepah branches across Iran. The group has targeted Iranian organizations in the past.

The intensification of cyber hostilities between Israel and Iran raises concerns about potential spillover effects, with U.S. companies and critical infrastructure facing increased risks. Cybersecurity experts are urging organizations to brace for potential disruptions and enhance their defenses against cyberattacks. The digital conflict highlights the importance of cybersecurity preparedness in a world where geopolitical tensions increasingly manifest in cyberspace.

Recommended read:
References :
  • thecyberexpress.com: Iran-Israel cyber conflict intensifies with hacktivist attacks and new malware campaigns.
  • SpiderLabs Blog: The Digital Front Line: Israel and Iran Turn the Internet into a Covert Combat Zone
  • aboutdfir.com: U.S. companies brace for Israel-Iran cyber spillover
  • Industrial Cyber: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut

MalBot@malware.news //
A fraudulent website, digiyatra[.]in, is actively targeting Indian air travelers by impersonating the official DigiYatra Foundation. Threat actors are exploiting the trust placed in India's digital infrastructure by setting up this deceptive phishing site. The website, which remains live at the time of reporting, is designed to harvest personal user data under the guise of providing official services for air travelers, mirroring a legitimate flight booking portal with a flight search box and user forms requesting names, phone numbers, and email addresses.

Despite the appearance of a genuine booking platform, the website does not facilitate any actual ticket sales or transactions. Instead, its sole purpose is data harvesting, enticing users to input Personally Identifiable Information (PII) by imitating a legitimate service experience. The site uses a free SSL certificate from Let's Encrypt to enhance its perceived legitimacy, further deceiving unsuspecting users. The domain was registered under the name Ali Sajil from Kerala, India, and is accessible through both its domain name and IP address (167[.]172[.]151[.]164).

The discovery of this phishing site poses significant risks, including unauthorized data collection, public deception, and potential reputational damage to the DigiYatra initiative. The site's ability to deceive users stems from its strategic use of keywords and the appearance of security through HTTPS. In response to this threat, ThreatWatch360 has taken immediate action, escalating the matter to CERT-In and submitting a takedown request to the domain registrar. Furthermore, alerts have been shared with brand protection clients, and monitoring for similar fraudulent attempts is ongoing, with DNS-level blocks advised for the domain and its IP address to prevent further abuse.

Recommended read:
References :
  • gbhackers.com: Fake DigiYatra Apps Target Indian Users to Steal Financial Data
  • infosecwriteups.com: Fake DigiYatra Website Was Targeting Indian Flyers With Lookalike Portal
  • malware.news: Fake DigiYatra Apps Target Indian Users to Steal Financial Data

@cyble.com //
In May 2025, cybersecurity experts reported a significant surge in hacktivist activity targeting Indian digital infrastructure. This wave of attacks followed the terror attack in Pahalgam, located in the Indian state of Jammu and Kashmir on April 22nd, and India’s retaliatory strikes across the border. A coordinated effort by more than 40 hacktivist groups sought to disrupt and deface numerous Indian websites, leading to widespread alarm across media and social networks as many claimed significant breaches of government, educational, and critical infrastructure websites.

However, detailed technical investigations revealed that the actual impact of these attacks on Indian cyber assets was minimal. Claims of major data breaches, such as a supposed 247 GB breach of the National Informatics Centre (NIC), were largely unfounded as the data was publicly available or fabricated. Website defacements and Distributed Denial of Service (DDoS) attacks, while numerous, were short-lived and ineffective.

Despite the relatively low impact, the cyberattacks highlighted the ongoing tensions in cyberspace between India and Pakistan. Technisanct identified 36 pro-Pakistan hacktivist groups involved in the digital assaults, countered by 14 Indian groups retaliating. The escalation in hacktivist activity serves as a reminder of the persistent and evolving cyber threats facing both nations, even amidst military tensions.

Recommended read:
References :
  • cyble.com: More than 40 hacktivist groups conducted coordinated cyberattacks against India following the April 22 terror attack in Pahalgam in the Indian state of Jammu and Kashmir, which in turn prompted India to respond with targeted strikes aimed at alleged terrorist infrastructure across the border and the Pakistan-Occupied Kashmir region (PoK).
  • thecyberexpress.com: Over 40 Hacktivist Groups Target India in Coordinated Cyber Campaign: High Noise, Low Impact
  • Secure Bulletin: Tactical reality behind the India-Pakistan hacktivist surge
  • securebulletin.com: Tactical reality behind the India-Pakistan hacktivist surge
  • www.cysecurity.news: Cyber War Escalates Between Indian and Pakistani Hacktivists After Pahalgam Attack
  • thecyberexpress.com: No Ceasefire in the Cyberspace Between India and Pakistan
  • cyble.com: India Experiences Surge in Hacktivist Group Activity Amid Military Tensions

@cyble.com //
The ransomware landscape is experiencing significant shifts in April 2025, with groups like Qilin taking center stage. Despite a general decline in ransomware attacks from 564 in March to 450 in April, the lowest level since November 2024, Qilin has surged to the top of the ransomware rankings. This rise is attributed to the realignment of cybercriminal groups within the chaotic Ransomware-as-a-Service (RaaS) ecosystem. Qilin is reportedly leveraging sophisticated tools and techniques, contributing to their increased success in recent months.

Qilin's success is partly due to the adoption of advanced tactics, techniques, and procedures (TTPs). Threat actors associated with Qilin have been observed utilizing malware such as SmokeLoader, along with a previously undocumented .NET compiled loader called NETXLOADER, in campaigns dating back to November 2024. NETXLOADER is a highly obfuscated loader designed to deploy additional malicious payloads and bypass traditional detection mechanisms, making it difficult to analyze. This loader plays a critical role in Qilin's stealthy malware delivery method. The surge in activity is reflected in the doubling of disclosures on Qilin's data leak site since February 2025, making it the top ransomware group in April.

The emergence of new actors like DragonForce is reshaping the threat landscape. The group is built for the gig economy. Its features include a 20% revenue share, white-label ransomware kits, pre-built infrastructure. DragonForce quickly moved to absorb affiliates following the April 2025 disappearance of RansomHub, pitching itself as an agile alternative to collapsed legacy operators. A historic surge in ransomware activity is occurring. A total of 2,289 publicly named ransomware victims were reported in just Q1 a 126% year-over-year increase, setting an all-time high. 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats.

Recommended read:
References :
  • cyble.com: Ransomware Attacks April 2025: Qilin Emerges from Chaos
  • cyble.com: Global ransomware attacks in April 2025 declined to 450 from 564 in – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups.
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • www.redpacketsecurity.com: [QILIN] – Ransomware Victim: www[.]hcsheriff[.]gov