@itpro.com
//
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.
This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.
Recommended read:
References :
- Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
- Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
- Open Source Security: tj-action/changed-files GitHub action was compromised
- Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
- securityonline.info: Popular GitHub Action “tj-actions/changed-files� Compromised (CVE-2025-30066)
- Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
- www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
- : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
- Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
- The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
- BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
- www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
- Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
- gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
- hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
- www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
- bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
- Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
- unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
- Legit Security Blog: Github Actions tj-actions/changed-files Attack
- Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-files� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
- securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
- bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
- blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
- Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
- Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
- thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
- The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
- Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
- Schneier on Security: Critical GitHub Attack
- Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
- www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
- tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram
Microsoft Threat@Microsoft Security Blog
//
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.
The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.
Recommended read:
References :
- krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
- Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
- The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
- The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
- : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
- The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
- www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
- TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
- BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
- eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
- Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix� to Deliver Credential-Stealing Malware
- Blog: Phishing campaign impersonates Booking.com, plants malware
- Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
- www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
- www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
- www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
- thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
- securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
- gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
- Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
- Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
- Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign
@cyberalerts.io
//
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.
The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.
The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.
Recommended read:
References :
- Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
- gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
- www.bitdefender.com: Free file converter malware scam “rampant� claims FBI
- Malwarebytes: Warning over free online file converters that actually install malware
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
- Help Net Security: FBI: Free file converter sites and tools deliver malware
- www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
- securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
- The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
- PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
- www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
- www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
- www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
- www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
- Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]
Shira Landau@Email Security - Blog
//
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.
This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.
Recommended read:
References :
- Arctic Wolf: Self-Proclaimed “BianLian Group� Uses Physical Mail to Extort Organizations
- CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
- DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
- www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
- PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
- BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
- Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
- gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
- techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
- thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
- Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
- Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
- gbhackers.com: The novel approach highlights a shift in extortion tactics.
- Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
- Malwarebytes: Ransomware threat mailed in letters to business owners
- www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
- Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
- borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
- Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
- Kali Linux Tutorials: Cyber Threat Group Sends Paper-Based Extortion Letters
- The DefendOps Diaries: Cybercriminals exploit YouTube's copyright system to extort creators, spreading malware and demanding ransoms.
- www.bleepingcomputer.com: Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos.
jane.mccallion@futurenet.com (Jane@itpro.com
//
Security expert Troy Hunt, the creator of the data breach notification site Have I Been Pwned, has fallen victim to a sophisticated phishing attack. The incident, which occurred on March 25, 2025, resulted in the compromise of his email subscriber list, affecting approximately 16,000 current and past subscribers to his personal blog. The attackers gained access to Hunt's Mailchimp account after he clicked on a malicious link in an email disguised as a legitimate notice from the email marketing provider.
Hunt immediately disclosed the breach, emphasizing the importance of transparency and acknowledging his frustration with falling for the scam. The phishing email exploited a sense of urgency by claiming a spam complaint had triggered a temporary suspension of his account, prompting him to enter his credentials and one-time passcode. While 2FA was enabled on his Mailchimp account, the phish still managed to get the one time passcode. Industry experts have said the incident underscores how even seasoned cybersecurity professionals can be vulnerable to social engineering tactics that prey on human weaknesses, such as tiredness and a sense of urgency.
Recommended read:
References :
- bsky.app: Have I Been Pwned creator Troy Hunt says the data of over 16,000 newsletter subscribers has been stolen after he fell for a Mailchimp phishing attack
- cyberinsider.com: Details the phishing attack on Troy Hunt's Mailchimp account, exposing subscriber data.
- The Register - Security: Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish
- DataBreaches.Net: Troy Hunt, owner of HaveIBeenPwned.com, writes: You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the...
- PCMag UK security: Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email.
- Information Security Buzz: Security consultant and founder of the popular Troy Hunt, a security consultant who runs the popular data-breach search service Have I Been Pwned?, has disclosed that he has become a victim of a phishing attack that exposed the email addresses of 16,000 subscribers to his blog troyhunt.com.  “Every active subscriber on my list will shortly [...]
- www.itpro.com: Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
- www.csoonline.com: Even anti-scammers get scammed: security expert Troy Hunt pwned by phishing email
- www.techradar.com: HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
- haveibeenpwned.com: In March 2025, . The exported list contained 16k email addresses and other data automatically collected by Mailchimp including IP address and a derived latitude, longitude and time zone.
- Malwarebytes: Security expert Troy Hunt hit by phishing attack
- heise Security: Have I Been Pwned: Projektbetreiber Troy Hunt gepwned Der Betreiber von Have I Been Pwned wurde selbst Opfer eines Phishing-Angriffs. Die E-Mails der Newsletter-Mailingliste wurden gestohlen.
- bsky.app: Troy Hunt's mailing list got phished. Commiserations to him. If it can happen to Troy, it can probably happen to you.
Andres Ramos@Arctic Wolf
//
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.
This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult.
Recommended read:
References :
- Arctic Wolf: Widespread Fake CAPTCHA Campaign Delivering Malware
- hackread.com: New OBSCURE#BAT Malware Targets Users with Fake Captchas
- Security Risk Advisors: 🚩 Fake CAPTCHA Malware Campaign Resurges With Multi-Stage PowerShell Infostealers
- SpiderLabs Blog: Resurgence of a Fake Captcha Malware Campaign
- www.zdnet.com: That weird CAPTCHA could be a malware trap - here's how to protect yourself
- Seceon Inc: Beware of Fake CAPTCHA Scams: How Cybercriminals Are Hijacking Your Clipboard to Steal Data
- www.cysecurity.news: Fake CAPTCHA Scams Trick Windows Users into Downloading Malware
- : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
- Broadcom Software Blogs: In a recent surge of sophisticated cyber threats, attackers are exploiting fake CAPTCHA verifications to hijack users’ clipboards, leading to the installation of information-stealing malware.
- Security Risk Advisors: ClearFake injects JavaScript to show fake CAPTCHAs on compromised sites, tricking users into running PowerShell for Lumma/Vidar malware.
- www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
- gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
- Sucuri Blog: Sucuri Blog: Fake Cloudflare Verification Results in LummaStealer Trojan Infections
- securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
@The DefendOps Diaries
//
Cybercriminals are actively targeting SEO professionals through a sophisticated phishing campaign that exploits Google Ads. The attackers are using fake Semrush advertisements to trick users into visiting deceptive login pages designed to steal their Google account credentials. This campaign is a new twist in phishing, going after users of the Semrush SaaS platform, which is popular among SEO professionals and businesses, and is trusted by 40% of Fortune 500 companies.
This scheme is effective due to the SEO professionals' trust in Semrush, a platform used for advertising and market research. The malicious ads appear when users search for Semrush and redirect them to counterfeit login pages, which look similar to legitimate Semrush URLs. The attackers register domain names that closely resemble real Semrush domains and the only login option is with a Google account, harvesting Google account information for further malicious activities. This provides the attackers with valuable access to Google Analytics and Google Search Console, giving them insight into the companies' financial performance.
Recommended read:
References :
- The DefendOps Diaries: Cybercriminals exploit Google Ads to target SEO pros, using fake Semrush ads to steal Google credentials.
- Help Net Security: Malicious ads target Semrush users to steal Google account credentials
- Malwarebytes: Semrush impersonation scam hits Google Ads
- www.tripwire.com: Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users
- BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
- BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
- bsky.app: Fake Semrush ads used to steal SEO professionals’ Google accounts
- BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
- : Threat actors are looking to compromise Google accounts to further malvertising and data theft
- Email Security - Blog: Cyber criminals have launched a sophisticated phishing campaign that exploits the trusted reputation of Semrush — an SEO firm that's captured of Fortune 500 brands as customers — to compromise Google account credentials.
- gbhackers.com: Hackers Deploy Fake Semrush Ads to Steal Google Account Credentials
info@thehackernews.com (The@The Hacker News
//
A new phishing-as-a-service (PhaaS) platform named 'Morphing Meerkat' is making waves in the cybersecurity world. Discovered by Infoblox Threat Intel, this platform leverages Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that mimic over 100 brands. This allows attackers to tailor their phishing attempts, making them more convincing and harder to detect, as the login pages dynamically adjust to match the victim's email service provider.
The Morphing Meerkat phishing kit has evolved over time, now capable of dynamically translating phishing content into over a dozen languages. It also incorporates sophisticated evasion techniques, such as exploiting open redirects on adtech infrastructure and using compromised WordPress websites. Security experts emphasize the need for robust DNS security measures to combat this evolving threat and protect against credential theft.
Recommended read:
References :
- The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
- : A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
- www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
- Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
- The DefendOps Diaries: Explore Morphing Meerkat, a sophisticated Phishing-as-a-Service threat using advanced evasion techniques to bypass cybersecurity defenses.
- www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
info@thehackernews.com (The@The Hacker News
//
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.
Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.
Recommended read:
References :
- The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
- The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
- www.it-daily.net: SideWinder now also attacks nuclear power plants
- securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
- Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary
@www.infosecurity-magazine.com
//
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”
These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.
Recommended read:
References :
- gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
- securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
- : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
- www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs
Lawrence Abrams@BleepingComputer
//
A large-scale Coinbase phishing attack is underway, targeting users with a sophisticated scam disguised as a mandatory wallet migration. The attackers trick recipients into setting up a new wallet using a pre-generated recovery phrase, effectively gaining control of any funds transferred into it. The phishing emails falsely claim that Coinbase is transitioning to self-custodial wallets due to a court order, creating a sense of urgency and legitimacy. This manipulation of emotions and perceived authority is a common tactic in phishing scams.
The emails stand out because they lack traditional phishing links, instead directing users to legitimate Coinbase pages to build trust. The core mechanism involves providing a pre-generated recovery phrase, exploiting the user's potential misunderstanding of recovery phrases. By convincing users to set up their new Coinbase Wallet with this phrase, attackers gain full access to the wallet.
Recommended read:
References :
- The DefendOps Diaries: The Evolving Threat of Phishing Scams: A Case Study on Coinbase Users
- www.bleepingcomputer.com: Coinbase phishing email tricks users with fake wallet migration
- : Coinbase Users Targeted in Sophisticated Phishing Scam Posing as Wallet Migration
|
|