CyberSecurity news

FlagThis - #phishing

@cyberalerts.io //
The Tycoon2FA Phishing-as-a-Service (PhaaS) platform, notorious for its ability to bypass multi-factor authentication (MFA) on Microsoft 365 and Gmail accounts, has been updated with new techniques designed to evade detection. This phishing kit targets Microsoft 365 users with advanced methods to slip past endpoint and security protections. These updates enhance the kit's stealth capabilities, posing a significant threat to organizations relying on MFA for security.

New evasion techniques have been implemented, including the use of invisible Unicode characters to conceal binary data within JavaScript. This method allows the payload to be decoded and executed during runtime while avoiding static pattern-matching analysis. Tycoon2FA also employs a custom CAPTCHA rendered via HTML5 canvas and anti-debugging scripts to further complicate analysis and delay script execution, making it difficult for security systems to identify and block the phishing attempts.

The Tycoon2FA phishing kit utilizes Adversary-in-the-Middle (AiTM) tactics to intercept communications between users and legitimate services, capturing session cookies to bypass MFA protections. This allows attackers to gain unauthorized access even if credentials are changed, because the captured session cookies circumvent MFA access controls during subsequent authentication attempts. The improvements made to the Tycoon2FA kit highlight the increasing sophistication of phishing campaigns and the importance of implementing advanced security measures to protect against these evolving threats.

Recommended read:
References :
  • cyberpress.org: Tycoon 2FA Phishing Kit Deploys New Tactics to Bypass Endpoint Detection Systems
  • gbhackers.com: Tycoon 2FA Phishing Kit Uses Advanced Evasion Techniques to Bypass Endpoint Detection Systems
  • The DefendOps Diaries: Understanding and Mitigating the Tycoon2FA Phishing Threat
  • www.bleepingcomputer.com: Tycoon2FA phishing kit targets Microsoft 365 with new tricks
  • SpiderLabs Blog: Tycoon2FA New Evasion Technique for 2025
  • Cyber Security News: The Tycoon 2FA phishing kit has undergone a significant evolution in its tactics, introducing sophisticated evasion techniques to bypass endpoint detection systems and scrutiny from analysts.
  • BleepingComputer: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
  • www.bleepingcomputer.com: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
  • Daily CyberSecurity: A recent report by SentinelLABS sheds light on a sophisticated phishing-as-a-service (PhaaS) operation called Tycoon 2FA, known for targeting Microsoft 365 and Gmail accounts while bypassing multi-factor authentication (MFA).
  • securityaffairs.com: SecurityAffairs article on Tycoon2FA phishing kit rolling out significant updates
  • www.scworld.com: SCWorld brief on Stealthier Tycoon2FA phishing kit appearing as PhaaS platforms fueling SVG exploitation

@www.silentpush.com //
A China-based eCrime group known as the Smishing Triad has expanded its operations, targeting users across more than 121 countries with sophisticated SMS phishing campaigns. Originally focused on impersonating toll road operators and shipping companies, the group has now pivoted to directly target customers of international financial institutions. This expansion is accompanied by a dramatic increase in their cybercrime infrastructure and support staff, signaling a significant escalation in their activities. The group's operations span a diverse range of industries, including postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

The Smishing Triad's infrastructure is vast, utilizing over 8,800 unique IP addresses and stretching across more than 200 Autonomous System Numbers (ASNs). Recent data from server logs analyzed by Silent Push reveal that the group's infrastructure has been highly active, with over one million page visits logged in just 20 days. This suggests that the actual number of SMS phishing messages sent may be significantly higher than the previously estimated 100,000 per day. A large portion of the group's phishing sites are hosted by major Chinese companies, Tencent and Alibaba, indicating a strong connection to Chinese cyberspace.

The group's latest tactic involves the introduction of the "Lighthouse" phishing kit, unveiled on a Telegram channel by the developer identified as Wang Duo Yu. This kit targets numerous financial institutions, particularly in Australia and the broader Asia-Pacific region, as well as major Western financial institutions like PayPal, Mastercard, and HSBC. The Lighthouse kit boasts advanced features such as one-click setup, real-time synchronization, and mechanisms to bypass multiple layers of security like OTP, PIN, and 3DS verification, making it a formidable tool for stealing banking credentials. Smishing Triad boasts it has “300+ front desk staff worldwide” supporting the Lighthouse kit, and continues to sell its phishing kits to other threat actors via Telegram.

Recommended read:
References :
  • krebsonsecurity.com: China-based SMS Phishing Triad Pivots to Banks - Krebs on Security
  • www.silentpush.com: Silent Push blog on Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
  • gbhackers.com: Smishing Triad, a Chinese eCrime group, has launched an extensive operation targeting users across more than 121 countries. This campaign, primarily focused on stealing banking credentials, has evolved to include diverse industries, from postal and logistics to finance and retail sectors.
  • bsky.app: SilentPush has published a profile of Chinese cybercrime group Smishing Triad. The group is massive, with operations across 121 countries.
  • cyberpress.org: A prevalent Chinese cybercrime group, dubbed Smishing Triad, has launched an extensive global cyberattack, targeting users in over 120 countries through sophisticated phishing campaigns.
  • gbhackers.com: Smishing Triad, a Chinese eCrime group, has launched an extensive operation targeting users across more than 121 countries.
  • Cyber Security News: CyberPress report on Chinese eCrime Group Launches Global Attack to Steal Banking Credentials from Users in 120+ Countries
  • securityonline.info: Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing

@Talkback Resources //
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.

Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone.

Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace.

Recommended read:
References :
  • Talkback Resources: Scattered Spider adds new phishing kit, malware to its web
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
  • cyberpress.org: Article on conducting advances campaigns to steal login credentials and MFA tokens
  • gbhackers.com: The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as Scattered Spider. Active since at least 2022, this group has been consistently refining its strategies for system compromise, data exfiltration, and identity theft. Silent Push analysts have tracked the evolution of Scattered Spider’s tactics, techniques, and procedures (TTPs) through early
  • cybersecuritynews.com: Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens
  • gbhackers.com: Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens

Mandvi@Cyber Security News //
Netskope Threat Labs has uncovered a new evasive campaign that uses fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader malware. This sophisticated attack targets individuals searching for PDF documents online, tricking them into downloading malware that installs a malicious browser extension. This extension is designed to steal sensitive user data. The campaign has been active since February 2025 and has impacted over 140 customers.

The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer.

Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications.

Recommended read:
References :
  • Cyber Security News: LegionLoader Delivered Through Fake CAPTCHAs and Abused Cloudflare Turnstile by Threat Actors
  • cybersecuritynews.com: Threat Actors Using Fake CAPTCHAs and CloudFlare Turnstile to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Virus Bulletin: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.
  • securityonline.info: New Evasive Campaign Uses Fake CAPTCHAs to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Threat Labs - Netskope: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.

Stu Sjouwerman@blog.knowbe4.com //
Tolling agencies throughout the United States are currently grappling with an escalating cybersecurity threat: deceptive text message scams known as smishing. These scams involve cybercriminals sending text messages that impersonate toll payment notifications, tricking individuals into clicking malicious links and making unauthorized payments. These messages often embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority.

These scams are part of a sophisticated campaign leveraging platforms, most recently a PhaaS platform called Lucid. This platform enables cybercriminals to launch large-scale phishing campaigns with minimal effort. Cybercriminals behind this scheme are exploiting legitimate communication technologies like Apple iMessage and Android RCS to bypass traditional spam filters and deliver their malicious messages at scale.

The phishing messages typically claim unpaid toll fees and threaten fines or license suspension if recipients fail to respond. The Lucid platform offers advanced features such as dynamic targeting, device-specific focus, and evasion techniques. These features allow attackers to tailor campaigns for iOS or Android users, block connections from non-targeted regions, and prevent direct access to phishing domains.

Recommended read:
References :
  • aboutdfir.com: Have you ever received an odd text message on your phone, purporting to be from a toll provider or package delivery service? If you have a U.S. cell phone, chances are you’ve encountered one of these SMiShing attempts—cybercriminals’ latest ploy to trick you into giving up your personal
  • www.cysecurity.news: Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate.
  • Cyber Security News: Beware! Phishing Scam Uses Fake Unpaid Tolls Messages to Harvest Login Credentials
  • gbhackers.com: Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials
  • www.bleepingcomputer.com: The E-ZPass toll payment texts return in massive phishing wave
  • BleepingComputer: Toll payment text scam returns in massive phishing wave
  • The DefendOps Diaries: The Toll Payment Text Scam: A Modern Cybersecurity Threat
  • www.bleepingcomputer.com: An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.
  • blog.knowbe4.com: Upgraded Phishing-as-a-Service Platform Drives a Wave of Smishing Attacks
  • cybersecuritynews.com: Threat Actors Leveraging Toll Payment Services in Massive Hacking Attack
  • Cyber Security News: Toll Payment Services Abused in Large-Scale Hacking Campaign
  • gbhackers.com: Threat Actors Exploit Toll Payment Services in Widespread Hacking Campaign
  • securityonline.info: Smishing campaigns exploiting toll payment systems to deceive consumers into disclosing sensitive information, often linked to popular platforms like FasTrak, E-ZPass, and I-Pass.
  • securityonline.info: Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services
  • www.scworld.com: Toll payment service-targeted schemes by Smishing Triad escalates
  • blog.talosintelligence.com: Unraveling the U.S. toll road smishing scams
  • DataBreaches.Net: E-ZPass toll payment texts return in massive phishing wave
  • Blog: Unpaid toll-themed smishing campaign gives victims no free ‘E-ZPass’
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • krebsonsecurity.com: China-based SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad†mainly impersonated toll road operators and shipping companies.
  • www.silentpush.com: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
  • bsky.app: SilentPush has published a profile of Chinese cybercrime group Smishing Triad. The group is massive, with operations across 121 countries. The report also looks at the group's new phishing kit, named Lighthouse.
  • gbhackers.com: Smishing Triad has targeted numerous countries, including but not limited to UK, Canada, and USA.
  • www.silentpush.com: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit

Stu Sjouwerman@blog.knowbe4.com //
Since October 2024, a widespread SMS phishing campaign has been targeting toll road users across the United States. This "smishing" scam involves fraudulent text messages impersonating E-ZPass and other U.S.-based toll agencies. These messages falsely claim recipients have unpaid tolls, urging immediate payment to avoid penalties or suspension of driving privileges. The texts contain links leading to counterfeit websites designed to steal personal and financial information.

These fake websites prompt victims to enter their name, address, phone number, and credit card information. After a fake bill is shown, and the user clicks "Proceed Now", this sensitive data is then harvested by the threat actors. Authorities have been aware of similar scams, including a warning issued by the FBI's Internet Crime Complaint Center (IC3) in April 2024. The current surge and targeting of toll road users in multiple states indicates the likelihood of the threat actors leveraging user information publicly leaked from large databases.

The individuals behind these phishing kits are known as the 'Smishing Triad', who are a China-based eCrime group. The group has systematically targeted organizations in at least 121 countries across numerous industries including postal, logistics, telecommunications, transportation, finance, retail, and public sectors with SMS phishing. The Smishing Triad claims to have over 300 front desk staff worldwide supporting their operations, and they continue to sell phishing kits to other threat actors via Telegram and other channels. Silent Push analysts have acquired Smishing Triad server log data and determined that portions of the group’s infrastructure generated over one million page visits within a period of only 20 days.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • Blog: A recent smishing campaign is impersonating E-ZPass and other U.S.-based toll agencies and sending fraudulent text messages to individuals. These messages claim that recipients have unpaid tolls and urge immediate payment to avoid penalties or suspension of driving privileges.
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • krebsonsecurity.com: China-based SMS phishing Triad Pivots to Banks

@gbhackers.com //
References: gbhackers.com , Malwarebytes ,
Cybercriminals are increasingly employing sophisticated tactics to bypass traditional security measures and ensnare unsuspecting users in phishing scams. One notable trend is the use of benign-worded email subjects such as "request," "forward," and "report" to lower suspicion. Additionally, attackers are leveraging URL shorteners and QR codes to mask malicious links, making it harder for users and security systems to identify threats. These techniques allow cybercriminals to evade detection and increase the likelihood of successful attacks aimed at stealing personal and financial information.

Tax-themed phishing campaigns are surging as the United States approaches Tax Day on April 15th. Microsoft has observed threat actors exploiting tax-related anxieties through emails containing malicious attachments. These attachments frequently include QR codes that redirect users to fake login pages designed to steal credentials. In other instances, attackers embed DoubleClick URLs in PDF attachments that redirect users through shortened links to fake DocuSign pages, serving either malicious JavaScript files leading to malware installation or benign decoy files based on filtering rules.

The malware families being deployed in these campaigns are becoming increasingly advanced. Latrodectus, for example, features dynamic command-and-control configurations and anti-analysis capabilities, allowing attackers to execute Windows commands remotely and establish persistence through scheduled tasks. BruteRatel C4 (BRc4), originally designed for red-teaming exercises, is being exploited for post-exploitation activities, enabling attackers to bypass security defenses. According to Kendall McKay, strategic lead for cyber threat intelligence at Cisco’s Talos division, phishing scams are constantly evolving to maintain their effectiveness.

Recommended read:
References :
  • gbhackers.com: Hackers Use URL Shorteners and QR Codes in Tax-Themed Phishing Attacks
  • Malwarebytes: QR codes sent in attachments are the new favorite for phishers
  • www.cysecurity.news: Phishing Scams Are Getting Smarter – And More Subtle : Here’s All You Need to Know

info@thehackernews.com (The@The Hacker News //
A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.

PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack.

Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • www.bleepingcomputer.com: Threat actors are leveraging compromised credentials.
  • bsky.app: PoisonSeed phishing campaign behind emails with wallet seed phrases
  • Cyber Security News: The campaign targets individuals and organizations outside the cryptocurrency industry.
  • gbhackers.com: PoisonSeed uses advanced phishing techniques.
  • securityonline.info: SecurityOnline.info - PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • securityonline.info: Threat actors target email providers to provide infrastructure for cryptocurrency spam operations.
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • www.silentpush.com: Silent Push blog about PoisonSeed campaign.
  • Cyber Security News: A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
  • Security Risk Advisors: PoisonSeed Actors Hijack Bulk Email Services to Execute Cryptocurrency Seed Phrase Attacks

info@thehackernews.com (The@The Hacker News //
The Lucid PhaaS platform, operated by the XinXin group, is being used in sophisticated smishing campaigns targeting 169 entities across 88 countries. This Phishing-as-a-Service (PhaaS) platform leverages legitimate communication channels like Apple iMessage and Android RCS to bypass traditional SMS spam filters, significantly increasing delivery and success rates. Cybercriminals are using Lucid to harvest credit card details and personally identifiable information (PII) for financial fraud.

The platform employs social engineering tactics, including impersonating postal services, courier companies, and tax refund agencies. It offers credit card validation tools and can clone any brand's website to create phishing versions. Telecom providers face challenges in preventing these attacks due to the end-to-end encryption of iMessage and RCS. Cybersecurity experts recommend that users independently verify communications with trusted organizations through official channels to avoid falling victim to these scams.

Recommended read:
References :
  • The Hacker News: Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing
  • www.cysecurity.news: Lucid Faces Increasing Risks from Phishing-as-a-Service
  • www.redhotcyber.com: Phishing come se non ci fosse un domani! Arriva Lucid PhaaS, la piattaforma cinese per truffe globali
  • Blog: XinXin group offers new ‘dreamy’ PhaaS platform
  • blog.knowbe4.com: A phishing-as-a-service (PhaaS) platform dubbed ‘Lucid’ is driving a surge in SMS (smishing) attacks, according to researchers at Prodaft.

@www.microsoft.com //
Tax season 2025 has seen a surge in ransomware attacks leveraging the RansomHub platform, targeting various sectors. Threat actors are actively exploiting tax-related themes to deploy highly targeted phishing campaigns, employing malicious hyperlinks and attachments. Multiple malware families including BRc4, Latrodectus, and Remcos are being delivered through these campaigns, utilizing phishing-as-a-service (PhaaS) kits such as RaccoonO365, as well as QR codes, and redirection tactics like URL shorteners to evade detection and compromise systems.

These attacks often begin with convincing IRS-themed lures delivered via phishing emails that exploit trust in familiar services like DocuSign or Microsoft 365. Attackers are using tactics involving fake tax verification forms with embedded links, PDF attachments containing QR codes, and redirects hosted on compromised websites or abused cloud services like Firebase and Dropbox. This malicious activity highlights the continued effectiveness of phishing techniques and the widespread use of RaaS, emphasizing the need for enhanced security measures during tax season.

Recommended read:
References :
  • Source: Threat actors leverage tax season to deploy tax-themed phishing campaigns
  • Vulnerable U: Tax Season Phishing 2025 - Full Threat Breakdown
  • The Hacker News: Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
  • Cyber Security News: Cybercriminals Exploit URL Shorteners and QR Codes for Tax-Related Phishing Scams

do son@securityonline.info //
A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.

The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks.

Recommended read:
References :
  • : New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
  • www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks
  • Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
  • Security Risk Advisors: Lazarus Uses “ClickFake Interviewâ€� to Distribute Backdoors via Fake Crypto Job Websites
  • The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

Fogerlog@Phishing Tackle //
A sophisticated phishing-as-a-service (PhaaS) platform known as Morphing Meerkat is actively exploiting DNS vulnerabilities. According to a recent analysis, this operation leverages DNS mail exchange (MX) records to dynamically generate and serve fake login pages tailored to victims' email providers, impersonating over 100 brands. This technique creates highly convincing impersonations, making it increasingly difficult for users to distinguish between legitimate and malicious login pages.

Researchers have discovered that Morphing Meerkat utilizes DNS over HTTPS (DoH) to evade detection, acting as a secret tunnel by encrypting DNS queries. The platform queries DNS MX records to identify the specific email service used by the target and generate spoofed login pages that closely mimic the genuine ones, increasing the likelihood of successful credential theft. This PhaaS platform has been active since at least 2020 and has evolved significantly, including dynamic translation into over a dozen languages.

Recommended read:
References :
  • hackread.com: A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities…
  • The DefendOps Diaries: Explore Morphing Meerkat, a sophisticated Phishing-as-a-Service threat using advanced evasion techniques to bypass cybersecurity defenses.
  • www.bleepingcomputer.com: A new phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. [...]

@www.silentpush.com //
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.

Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.

Recommended read:
References :
  • gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
  • hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
  • www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
  • Cyber Security News: In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
  • securityonline.info: Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest
  • Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack

Fogerlog@Phishing Tackle //
References: The Hacker News , , Cyber Security News ...
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
  • : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
  • www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
  • Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
  • The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
  • www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
  • Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
  • hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
  • Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
  • gbhackers.com: The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
  • securityaffairs.com: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.
  • : Phishing kits going to great lengths to personalise attacks
  • Malwarebytes: Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that generates multiple phishing kits and spoofs login pages of over 100 brands using DNS mail exchange (MX) records.
  • securityaffairs.com: Morphing Meerkat phishing kits exploit DNS MX records
  • bsky.app: A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
  • Talkback Resources: Morphing Meerkat phishing kits exploit DNS MX records
  • Security Risk Advisors: 🚩Morphing Meerkat’s Phishing-as-a-Service Leverages DNS MX Records for Targeted Attacks
  • Talkback Resources: New Morphing Meerkat PhaaS platform examined
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.
  • Phishing Tackle: Phishing-as-a-Service Exposed: DNS-over-HTTPS Fuels the Morphing Meerkat Attack
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.

jane.mccallion@futurenet.com (Jane@itpro.com //
Security expert Troy Hunt, the creator of the data breach notification site Have I Been Pwned, has fallen victim to a sophisticated phishing attack. The incident, which occurred on March 25, 2025, resulted in the compromise of his email subscriber list, affecting approximately 16,000 current and past subscribers to his personal blog. The attackers gained access to Hunt's Mailchimp account after he clicked on a malicious link in an email disguised as a legitimate notice from the email marketing provider.

Hunt immediately disclosed the breach, emphasizing the importance of transparency and acknowledging his frustration with falling for the scam. The phishing email exploited a sense of urgency by claiming a spam complaint had triggered a temporary suspension of his account, prompting him to enter his credentials and one-time passcode. While 2FA was enabled on his Mailchimp account, the phish still managed to get the one time passcode. Industry experts have said the incident underscores how even seasoned cybersecurity professionals can be vulnerable to social engineering tactics that prey on human weaknesses, such as tiredness and a sense of urgency.

Recommended read:
References :
  • haveibeenpwned.com: In March 2025, . The exported list contained 16k email addresses and other data automatically collected by Mailchimp including IP address and a derived latitude, longitude and time zone.
  • PCMag UK security: Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email
  • www.itpro.com: Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
  • Malwarebytes: Security expert Troy Hunt hit by phishing attack
  • gbhackers.com: Mozilla is working to patch the vulnerability, tracked as CVE-2025-2857, with security updates for Firefox 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1.
  • securityaffairs.com: Mozilla addressed a critical vulnerability, tracked as CVE-2025-2857, impacting its Firefox browser for Windows.
  • The DefendOps Diaries: Mozilla warns of a critical Firefox vulnerability allowing sandbox escapes, posing significant security risks to Windows users.