CyberSecurity news

FlagThis - #phishing

info@thehackernews.com (The@The Hacker News //
Google Chrome is set to integrate on-device AI, leveraging the 'Gemini Nano' large-language model (LLM), to proactively detect and block tech support scams while users browse the web. This new security feature aims to combat malicious websites that deceive users into believing their computers are infected with viruses or have other technical issues. These scams often manifest as full-screen browser windows or persistent pop-ups, designed to make them difficult to close, with the ultimate goal of tricking victims into calling a bogus support number.

Google is addressing the evolving tactics of scammers, who are known to adapt quickly to exploit unsuspecting users. These deceptive practices include expanding pop-ups to full-screen, disabling mouse input to create a sense of urgency, and even playing alarming audio messages to convince users that their computers are locked down. The 'Gemini Nano' model, previously used on Pixel phones, will analyze web pages for suspicious activity, such as the misuse of keyboard lock APIs, to identify potential tech support scams in real-time. This on-device processing is crucial as many malicious sites have a very short lifespan.

When Chrome navigates to a potentially harmful website, the Gemini Nano model will activate and scrutinize the page's intent. The collected data is then sent to Google’s Safe Browsing service for a final assessment, determining whether to display a warning to the user. To alleviate privacy and performance concerns, Google has implemented measures to ensure the LLM is used sparingly, runs locally, and manages resource consumption effectively. Users who have opted-in to the Enhanced Protection setting will have the security signals sent to Google's Safe Browsing service.

Recommended read:
References :
  • bsky.app: Google is implementing a new Chrome security feature that uses the built-in 'Gemini Nano' large-language model (LLM) to detect and block tech support scams while browsing the web.
  • PCMag UK security: Google's Chrome Browser Taps On-Device AI to Catch Tech Support Scams
  • BleepingComputer: Google Chrome to use on-device AI to detect tech support scams
  • thecyberexpress.com: Google is betting on AI
  • The Hacker News: Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • Davey Winder: Mobile malicious, misleading, spammy or scammy — Google fights back against Android attacks with new AI-powered notification protection.
  • Malwarebytes: Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites
  • cyberinsider.com: Google plans to introduce a new security feature in Chrome 137 that uses on-device AI to detect tech support scams in real time.
  • The DefendOps Diaries: Google Chrome's AI-Powered Defense Against Tech Support Scams
  • gbhackers.com: Google Chrome Uses Advanced AI to Combat Sophisticated Online Scams
  • security.googleblog.com: Using AI to stop tech support scams in Chrome

info@thehackernews.com (The@The Hacker News //
Google is integrating its Gemini Nano AI model into the Chrome browser to provide real-time scam protection for users. This enhancement focuses on identifying and blocking malicious websites and activities as they occur, addressing the challenge posed by scam sites that often exist for only a short period. The integration of Gemini Nano into Chrome's Enhanced Protection mode, available since 2020, allows for the analysis of website content to detect subtle signs of scams, such as misleading pop-ups or deceptive tactics.

When a user visits a potentially dangerous page, Chrome uses Gemini Nano to evaluate security signals and determine the intent of the site. This information is then sent to Safe Browsing for a final assessment. If the page is deemed likely to be a scam, Chrome will display a warning to the user, providing options to unsubscribe from notifications or view the blocked content while also allowing users to override the warning if they believe it's unnecessary. This system is designed to adapt to evolving scam tactics, offering a proactive defense against both known and newly emerging threats.

The AI-powered scam detection system has already demonstrated its effectiveness, reportedly catching 20 times more scam-related pages than previous methods. Google also plans to extend this feature to Chrome on Android devices later this year, further expanding protection to mobile users. This initiative follows criticism regarding Gmail phishing scams that mimic law enforcement, highlighting Google's commitment to improving online security across its platforms and safeguarding users from fraudulent activities.

Recommended read:
References :
  • The Official Google Blog: Read our new report on how we use AI to fight scams on Search.
  • Search Engine Journal: How Google Protects Searchers From Scams: Updates Announced
  • www.zdnet.com: How Google's AI combats new scam tactics - and how you can stay one step ahead
  • cyberinsider.com: Google Chrome Deploys On-Device AI to Tackle Tech Support Scams
  • The Hacker News: Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • The Hacker News: Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • Davey Winder: Google Confirms Android Attack Warnings — Powered By AI
  • securityonline.info: Chrome 137 Uses On-Device Gemini Nano AI to Combat Tech Support Scams
  • BleepingComputer: Google is implementing a new Chrome security feature that uses the built-in 'Gemini Nano' large-language model (LLM) to detect and block tech support scams while browsing the web. [...]
  • The Official Google Blog: How we’re using AI to combat the latest scams
  • The Tech Portal: Google to deploy Gemini Nano AI for real-time scam protection in Chrome
  • www.tomsguide.com: Google is keeping you safe from scams across search and your smartphone
  • www.eweek.com: Google’s Scam-Fighting Efforts Just Got Accelerated, Thanks to AI
  • the-decoder.com: Google deploys AI in Chrome to detect and block online scams.
  • www.techradar.com: Tired of scams? Google is enlisting AI to protect you in Chrome, Google Search, and on Android.
  • Daily CyberSecurity: Chrome 137 Uses On-Device Gemini Nano AI to Combat Tech Support Scams
  • PCMag UK security: Google's Chrome Browser Taps On-Device AI to Catch Tech Support Scams
  • www.searchenginejournal.com: How Google Protects Searchers From Scams: Updates Announced
  • Analytics India Magazine: Google Chrome to Use AI to Stop Tech Support Scams
  • eWEEK: Google’s Scam-Fighting Efforts Just Got Accelerated, Thanks to AI
  • THE DECODER: Google is now using AI models to protect Chrome users from online scams. The article appeared first on .
  • bsky.app: Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • The Hacker News: Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • techstrong.ai: Google’s Plan to Make Gemini Available to Those Under-13 Is Raising Deep Concerns
  • eWEEK: Google has rolled out a new iOS feature called Simplify that uses Gemini’s large language models to turn dense technical jargon such as what you would find in legal contracts or medical reports into plain, readable language without sacrificing key details.
  • The DefendOps Diaries: Google Chrome's AI-Powered Defense Against Tech Support Scams
  • thecyberexpress.com: Google has released new details on how artificial intelligence (AI) is being used across its platforms to combat a growing wave of online scams. In its latest Fighting Scams in Search report, the company outlines AI-powered systems that are already blocking hundreds of millions of harmful results daily and previews further enhancements being rolled out across Google Search, Chrome, and Android.
  • gHacks Technology News: Scam Protection: Google integrates local Gemini AI into Chrome browser
  • Malwarebytes: Google Chrome will use AI to block tech support scam websites
  • security.googleblog.com: Using AI to stop tech support scams in Chrome

@ai-techpark.com //
SpyCloud, a leading identity threat protection company, released an analysis on May 7th, 2025, revealing that a staggering 94% of Fortune 50 companies have had employee identity data exposed due to phishing attacks. The analysis is based on nearly 6 million phished data records recaptured from the criminal underground over the last six months. These findings highlight the growing scale and sophistication of phishing attacks, with cybercriminals increasingly targeting high-value identity data for follow-on attacks such as ransomware, account takeover, and fraud. The data provides valuable insights for organizations to enhance their defenses, improve user training, and prevent identity-based attacks.

Nearly 82% of phishing victims had their email credentials compromised in prior data breaches, according to SpyCloud's analysis. This gives attackers a critical advantage, emphasizing the importance of monitoring and securing compromised credentials. The exposed data often includes email addresses (81% of records), IP addresses (42%), and user-agent information (31%) which identifies device and browser details. The top industries impersonated in phishing campaigns include telecommunications, IT, and financial services, highlighting the specific targets of these malicious activities.

To combat the escalating phishing threat, Brian Jack, chief information security officer at KnowBe4, a partner of SpyCloud, emphasizes the need for ongoing security awareness training and swift, targeted action to remediate exposures. He stated that "Combining human vigilance with actionable intelligence is the most effective way to stop phishing in its tracks – and prevent it from opening the door to broader cyberattacks.” The rise of phishing attacks is attributed to cybercriminals modernizing their tactics and evolving campaigns into industrial-scale operations, aided by phishing-as-a-service (PhaaS) platforms and AI.

Recommended read:
References :
  • hackernoon.com: SpyCloud releases analysis of nearly 6 million phished data records recaptured from the criminal underground over the last six months.
  • hackread.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks
  • www.cybersecurity-insiders.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks
  • NextBigFuture.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks
  • ai-techpark.com: The analyzed that phising is causing 94% of data records to be stolen from fortune 50 companies.
  • www.cybersecurity-insiders.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

@arcticwolf.com //
Arctic Wolf Labs has identified a spear-phishing campaign orchestrated by the financially motivated threat group known as Venom Spider. The campaign targets hiring managers by abusing legitimate messaging services and job platforms. Attackers submit fake job applications with malicious resumes, leveraging an updated backdoor called More_eggs.

The fake resumes are designed to deliver the More_eggs backdoor onto the devices of unsuspecting HR personnel. Once installed, the backdoor allows the attackers to perform a variety of malicious activities, including stealing credentials, customer payment data, intellectual property, and trade secrets.

Arctic Wolf warns that the updated More_eggs malware is more sophisticated, making it harder to detect than previous versions. They advise CISOs to warn HR staff about this ongoing threat and implement measures to identify and block these malicious resumes. Notably, threat actors are using msxsl.exe, a legitimate Microsoft Command Line Transformation Utility to execute the backdoor.

Recommended read:
References :
  • Arctic Wolf: Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims
  • Know Your Adversary: 125. Hunting for More_eggs Backdoor
  • www.csoonline.com: Fake resumes targeting HR managers now come with updated backdoor
  • securityaffairs.com: Arctic Wolf details recent campaign by Venom Spider targeting hiring managers with spear-phishing emails abusing messaging services and job platforms.
  • arcticwolf.com: Arctic Wolf® observed a recent campaign by the financially motivated threat group Venom Spider targeting hiring managers with spear-phishing emails.
  • securityonline.info: Venom Spider Evolves: Arctic Wolf Exposes More_eggs Campaign Targeting HR
  • securityonline.info: Venom Spider Evolves: Arctic Wolf Exposes More_eggs Campaign Targeting HR
  • cyberpress.org: Cybercriminals Use Fake Resumes to Infect HR Systems with More_eggs Malware
  • gbhackers.com: Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

@gbhackers.com //
Cybercriminals are increasingly leveraging adversary-in-the-middle (AiTM) attacks with reverse proxies to bypass multi-factor authentication (MFA), a security measure widely adopted to protect against unauthorized access. This sophisticated technique allows attackers to intercept user credentials and authentication cookies, effectively neutralizing the added security that MFA is designed to provide. Instead of relying on simple, fake landing pages, attackers position reverse proxies between the victim and legitimate web services, creating an authentic-looking login experience. This method has proven highly effective in capturing sensitive information, as the only telltale sign might be a subtle discrepancy in the browser's address bar.

The proliferation of Phishing-as-a-Service (PhaaS) toolkits has significantly lowered the barrier to entry for executing these complex attacks. Platforms like Tycoon 2FA and Evilproxy offer ready-made templates for targeting popular services and include features like IP filtering and JavaScript injection to evade detection. Open-source tools such as Evilginx, originally intended for penetration testing, have also been repurposed by malicious actors, further exacerbating the problem. These tools provide customizable reverse proxy capabilities that enable even novice cybercriminals to launch sophisticated MFA bypass campaigns.

To combat these evolving threats, security experts recommend that organizations reassess their current MFA strategies and consider adopting more robust authentication methods. WebAuthn, a passwordless authentication standard utilizing public key cryptography, offers a potential solution by eliminating password transmission and rendering server-side authentication databases useless to attackers. Additionally, organizations should implement measures to detect unusual session behavior, monitor for newly registered domains, and analyze TLS fingerprints to identify potential AiTM activity. By staying vigilant and adapting their security strategies, organizations can better defend against these advanced phishing techniques and protect their valuable assets.

Recommended read:
References :
  • gbhackers.com: Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA
  • malware.news: Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA
  • securityonline.info: AiTM Attacks Bypass MFA Despite Widespread Adoption
  • cyberpress.org: CyberPress reports on AiTM attacks with reverse proxies enable threat actors to bypass MFA.
  • Cyber Security News: Cybersercurity news reports new MintsLoader drops GhostWeaver.
  • gbhackers.com: Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA
  • Daily CyberSecurity: AiTM Attacks Bypass MFA Despite Widespread Adoption

Shivani Tiwari@cysecurity.news //
Cybersecurity firm Bitdefender has issued a warning about a significant increase in subscription scams that are cleverly disguised as legitimate online stores and enticing mystery boxes. This new wave of scams is characterized by its unprecedented sophistication, employing high-quality website design, targeted advertising, and social media exploitation to deceive unsuspecting users. Over 200 fake retail sites have been identified as part of this operation, all designed to harvest credit card data and personal information from victims globally. These sites offer a wide range of products, including clothing, electronics, and beauty items, making it harder for users to distinguish them from genuine e-commerce platforms.

This scam network leverages social media platforms, particularly Facebook, where cybercriminals deploy sponsored ads and impersonate content creators to lure victims. A key component of this fraud is the evolution of the "mystery box" scam, which promises surprise items for a nominal fee but conceals hidden subscription models in the fine print. Victims are often unknowingly enrolled in recurring payment plans, with charges ranging up to 44 EUR every 14 days, disguised as loyalty benefits or exclusive shopping privileges. The scammers exploit the human fascination with the unknown, offering boxes supposedly left at post offices or bags found at airports, requiring a small payment to claim ownership, with the primary objective being collecting financial information.

Bitdefender's investigation reveals that these schemes utilize complex payment structures and convoluted terms to confuse users, transforming a seemingly one-time purchase into recurring charges. To evade detection, scammers employ techniques such as multiple ad versions, Google Drive-hosted images for easy replacement, cropped visuals to bypass pattern recognition, and homoglyph tactics to obscure malicious intent. Many of these fraudulent sites remain active, continuously targeting users globally, with specific campaigns observed in Romania, Canada, and the United States. The connection between these scams and a Cyprus-registered address raises suspicions of a coordinated operation involving offshore entities.

Recommended read:
References :
  • securityonline.info: Bitdefender researchers have uncovered a sprawling web of subscription-based scams that blend professional-looking websites, social media manipulation, and
  • www.cysecurity.news: Cybersecurity researchers at Bitdefender have uncovered a sharp increase in deceptive online subscription scams, with fraudsters disguising themselves as legitimate e-commerce platforms and mystery box vendors.
  • Cyber Security News: Subscription-Based Scams Exploit Users to Harvest Credit Card Data
  • hackread.com: Bitdefender uncovers a massive surge in sophisticated subscription scams disguised as online shops and evolving mystery boxes. Learn…
  • gbhackers.com: Subscription-Based Scams Targeting Users to Steal Credit Card Information
  • cyberpress.org: Subscription-Based Scams Exploit Users to Harvest Credit Card Data
  • cybersecuritynews.com: A significant wave of subscription-based scams is sweeping across the internet, specifically designed to steal credit card information from unsuspecting users.
  • Daily CyberSecurity: Bitdefender Exposes Sophisticated Subscription-Based Mystery Box Scams
  • gbhackers.com: Subscription-Based Scams Targeting Users to Steal Credit Card Information

Bill Toulas@BleepingComputer //
References: bsky.app , BleepingComputer , bsky.app ...
The FBI has released a comprehensive list of 42,000 phishing domains linked to the LabHost cybercrime platform. LabHost, a major phishing-as-a-service (PhaaS) platform, was dismantled in April 2024. The extensive list is designed to aid cybersecurity professionals and organizations in strengthening their defenses against phishing attacks. The domains were registered between November 2021 and April 2024, providing a historical record for threat detection.

This release offers a unique opportunity to bolster cybersecurity defenses and enhance threat detection strategies. By integrating these domains into existing security frameworks, organizations can proactively thwart potential threats. Retrospective analysis of logs from November 2021 to April 2024 can uncover previously undetected breaches, allowing organizations to address vulnerabilities. The list serves as a valuable resource for training phishing detection models, improving their accuracy and effectiveness.

The release of the 42,000 domains allows for the creation of comprehensive blocklists to mitigate the risk of threat actors reusing or re-registering these domains. Cybersecurity experts can analyze domain patterns to gain insights into the operations of PhaaS platforms like LabHost. This correlation of intelligence can aid in understanding the tactics, techniques, and procedures (TTPs) employed by cybercriminals, thereby enhancing the ability to predict and counter future threats.

Recommended read:
References :
  • bsky.app: The FBI released a list of 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform
  • BleepingComputer: The FBI released a list of 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform that was dismantled in April 2024.
  • The DefendOps Diaries: FBI shares massive list of 42,000 LabHost phishing domains, boosting cybersecurity defenses and enhancing threat detection strategies.
  • bsky.app: The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024.
  • malware.news: Thousands of LabHost PhaaS domains exposed by FBI
  • securityaffairs.com: FBI shared a list of phishing domains associated with the LabHost PhaaS platform
  • Talkback Resources: FBI shared a list of phishing domains associated with the LabHost PhaaS platform [net] [social]
  • www.sentinelone.com: FBI shares 42,000 domains linked to seized PhaaS

@securityonline.info //
A new malware campaign is targeting WordPress websites by using a plugin disguised as a security tool. The malicious plugin, often named 'WP-antymalwary-bot.php', provides attackers with administrator access to compromised sites, all while remaining hidden from the WordPress admin dashboard. The Wordfence Threat Intelligence team discovered this threat in late January 2025 during a site cleanup, revealing the plugin's ability to maintain access, execute remote code, and inject malicious JavaScript. Other names associated with the plugin include addons.php, wpconsole.php, and wp-performance-booster.php, underscoring the campaign's wide reach and adaptability.

The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site.

Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites.

Recommended read:
References :
  • hackread.com: WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
  • www.bleepingcomputer.com: WordPress plugin disguised as a security tool injects backdoor
  • The DefendOps Diaries: Protecting WordPress Sites from Malicious Plugin Campaigns
  • BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • Talkback Resources: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code [app] [mal]
  • BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • bsky.app: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • The Hacker News: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
  • BleepingComputer: WordPress plugin disguised as a security tool injects backdoor
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
  • Talkback Resources: Talkback - Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
  • Talkback Resources: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers [net] [mal]
  • bsky.app: bleepingcomputer.com/news/security/wordpress-plugin-disguised-as-a-security-tool-injects-backdoor/

Pierluigi Paganini@securityaffairs.com //
A new malware campaign is targeting WordPress sites, employing a malicious plugin disguised as a security tool to trick users into installing and trusting it. This plugin, often named 'WP-antymalwary-bot.php,' provides attackers with persistent access, remote code execution, and JavaScript injection, while remaining hidden from the plugin dashboard to evade detection. The malware was first discovered in late January 2025 during a site cleanup, where a modified 'wp-cron.php' file was found, which creates and programmatically activates the malicious plugin.

Cybercriminals are specifically targeting WooCommerce users with a large-scale phishing campaign, aiming to gain backdoor access to WordPress websites. The malicious plugin appears legitimate at first glance, complete with header comments, code indentation, and professional structure. However, it contains a backdoor function that allows attackers to log in as the first administrator user by sending a crafted GET request. This allows them to gain administrative access and inject PHP code into theme files, such as header.php, via a REST API route registered without any permission checks.

The malware enhances its stealth through various methods, including hiding itself from the WordPress Admin Dashboard using the 'hide_plugin_from_list' function. It also communicates with a Command & Control (C2) server, sending periodic "ping" updates to inform the attacker about its operational status. Furthermore, the malware injects malicious JavaScript ads into the site's pages using obfuscated methods and scripts retrieved from compromised external resources. Even if the plugin is deleted, the modified 'wp-cron.php' file reinstalls and reactivates it during the next site visit, ensuring persistence on a compromised site.

Recommended read:
References :
  • Cybernews: Cybercriminals are targeting WooCommerce users with a large-scale phishing campaign, giving them backdoor access to WordPress websites.
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
  • BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • hackread.com: WordPress sites are under threat from a deceptive anti-malware plugin.
  • www.bleepingcomputer.com: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
  • The DefendOps Diaries: Learn how to protect WordPress sites from malicious plugins posing as security tools, ensuring your site's safety and integrity.
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code

Pierluigi Paganini@securityaffairs.com //
A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.

The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion.

Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme.

Recommended read:
References :
  • Cyber Security News: The Patchstack security team has identified a large-scale, sophisticated phishing campaign targeting WooCommerce users with fake security alerts.
  • gbhackers.com: A concerning large-scale phishing campaign targeting WooCommerce users has been uncovered by the Patchstack securpity team, employing a highly sophisticated email and web-based phishing template to deceive website owners.
  • The DefendOps Diaries: Phishing campaign exploits WooCommerce admins with fake security patches and deceptive tactics, highlighting advanced cyber threats.
  • The Hacker News: Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a critical patch but deploy a backdoor instead.
  • BleepingComputer: WooCommerce admins targeted by fake security patches that hijack sites
  • Cybernews: Cybercriminals are targeting WooCommerce users with a large-scale phishing campaign, giving them backdoor access to WordPress websites.
  • securityaffairs.com: A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them to download a ‘critical patch’ hiding a backdoor.
  • hackread.com: Sneaky WordPress Malware Disguised as Anti-Malware Plugin
  • securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
  • www.bleepingcomputer.com: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.

@computerworld.com //
The Darcula phishing-as-a-service (PhaaS) platform has recently integrated generative AI capabilities, marking a significant escalation in phishing threats. This update allows even individuals with limited technical skills to create highly convincing phishing pages at an unprecedented speed and scale. Security researchers spotted the update on April 23, 2025, noting that the addition of AI makes it simple to generate phishing forms in any language and translate them for new locations, simplifying the process to build tailored phishing pages with multi-language support and form generation — all without any programming knowledge.

The new AI-assisted features amplify Darcula's threat potential and include tools for customizing input forms and enhancing the layout and visual styling of cloned websites, according to Netcraft. The service allows users to provide a URL for any legitimate brand or service, after which Darcula downloads all of the assets from the legitimate website and creates a version that can be edited. Subscribers can then inject phishing forms or credential captures into the cloned website, which looks just like the original. The integration of generative AI streamlines this process, enabling less tech-savvy criminals to deploy customized scams in minutes.

This development lowers the technical barrier for creating phishing pages and is considered to be 'democratizing cybercrime'. Netcraft, a cybersecurity company, has reported taking down more than 25,000 Darcula pages and blocking nearly 31,000 IP addresses since March 2024. The Darcula suite uses iMessage and RCS to send text messages, which allows the messages to bypass SMS firewalls. Because of this, enterprise security teams now face an immediate escalation in phishing threats.

Recommended read:
References :
  • The Register - Security: Darcula, a cybercrime outfit that offers a phishing-as-a-service kit to other criminals, this week added AI capabilities to its kit that help would-be vampires spin up phishing sites in multiple languages more efficiently.
  • www.csoonline.com: The Darcula platform has been behind several high-profile phishing campaigns in the past, targeting both Apple and Android users in the UK, and including package delivery scams that impersonated the United States Postal Service (USPS).
  • The Hacker News: The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a fresh report shared with The Hacker News.
  • Daily CyberSecurity: Netcraft researchers have uncovered a major development in the world of phishing-as-a-service (PhaaS): an update to the darcula-suite
  • Blog: ‘Darcula’ PhaaS gets generative AI upgrade
  • hackread.com: Darcula Phishing Kit Uses AI to Evade Detection, Experts Warn
  • securityonline.info: Darcula-Suite: AI Revolutionizes Phishing-as-a-Service Operations

Shira Landau@Email Security - Blog //
A sophisticated phishing campaign is currently targeting Microsoft Office 365 users, leveraging OAuth application functionality to bypass traditional security measures and enterprise-grade spam filters. Attackers are creating applications with embedded phishing messages as the app name, allowing them to generate properly signed security notifications that appear legitimate. These deceptive emails bypass email authentication checks and appear to come from official "no-reply" addresses, successfully navigating through standard email security checks and creating a significant deception that threatens enterprise security frameworks. Security leaders are urged to reassess their defense strategies to address these emerging threats that specifically target authentication mechanisms.

Attackers register a domain and create an associated account to establish their malicious operation. They then create an OAuth app with the phishing message embedded in the app name. Granting their newly created account access to this OAuth app generates a properly signed security notification. This authenticated message is then forwarded to potential victims, directing them to fake sign-in pages that function as credential harvesting mechanisms under the guise of legitimate support pages. These pages, hosted on legitimate subdomains of the email service provider, prompt users to "upload additional documents" or "view case," both leading to credential harvesting.

The "SessionShark" phishing kit is also being used to target Microsoft Office 365 accounts, designed to bypass multi-factor authentication (MFA) by stealing session tokens. This kit operates as an adversary-in-the-middle, intercepting login credentials and user session tokens. It creates a webpage that closely mimics the legitimate Microsoft Office 365 login interface, dynamically adapting to various conditions to increase believability. Once a victim submits their credentials, including completing MFA, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration.

Recommended read:
References :
  • Email Security - Blog: Authentication Breach Alert: OAuth Flaw Enables “Perfect Phishing†Campaign
  • The DefendOps Diaries: Understanding and Mitigating OAuth 2.0 Exploitation in Microsoft 365
  • BleepingComputer: Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
  • hackread.com: New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins

Stu Sjouwerman@blog.knowbe4.com //
Cybercriminals are increasingly exploiting the power of artificial intelligence to enhance their malicious activities, marking a concerning trend in the cybersecurity landscape. Reports, including Microsoft’s Cyber Signals, highlight a surge in AI-assisted scams and phishing attacks. Guardio Labs has identified a specific phenomenon called "VibeScamming," where hackers leverage AI to create highly convincing phishing schemes and functional attack models with unprecedented ease. This development signifies a "democratization" of cybercrime, enabling individuals with limited technical skills to launch sophisticated attacks.

Cybersecurity researchers at Guardio Labs conducted a benchmark study that examined the capabilities of different AI models in facilitating phishing scams. While ChatGPT demonstrated some resistance due to its ethical guardrails, other platforms like Claude and Lovable proved more susceptible to malicious use. Claude provided detailed, usable code for phishing operations when prompted within an "ethical hacking" framework, while Lovable, designed for easy web app creation, inadvertently became a haven for scammers, offering instant hosting solutions, evasion tactics, and even integrated credential theft mechanisms. The ease with which these models can be exploited raises significant concerns about the balance between AI functionality and security.

To combat these evolving threats, security experts emphasize the need for organizations to adopt a proactive and layered approach to cybersecurity. This includes implementing zero-trust principles, carefully verifying user identities, and continuously monitoring for suspicious activities. As threat actors increasingly blend social engineering with AI and automation to bypass detection, companies must prioritize security awareness training for employees and invest in advanced security solutions that can detect and prevent AI-powered attacks. With improved attack strategies, organizations must stay ahead of the curve by continuously refining their defenses and adapting to the ever-changing threat landscape.

Recommended read:
References :

Nathaniel Morales@feeds.trendmicro.com //
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.

Recommended read:
References :
  • cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
  • www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
  • darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025
  • bsky.app: DOGE-themed ransomware hit 100+ victims since January
  • www.cybersecurity-insiders.com: The Fog Ransomware gang, which has been making headlines over the past week due to its increasingly audacious demands, is now requesting a staggering $1 trillion from its victims.
  • The Register - Security: Fog ransomware channels Musk with demands for work recaps or a trillion bucks

@research.checkpoint.com //
Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The threat actors are using deceptive emails disguised as invitations to wine-tasting events, enticing recipients to download a malicious ZIP file. The ZIP file contains a PowerPoint executable ("wine.exe") and two hidden DLL files, one of which is a malware loader dubbed GRAPELOADER. This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe.

GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Once executed, GRAPELOADER establishes persistence by modifying the Windows registry, collects basic system information such as the username and computer name, and communicates with a command-and-control (C2) server to fetch additional malicious payloads. The malware copies the contents of the malicious zip archive to a new location on the disk, achieves persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots.

In addition to GRAPELOADER, a new variant of WINELOADER, a modular backdoor previously used by APT29, has been discovered and is likely being used in later stages of the attack. GRAPELOADER employs advanced techniques to avoid detection, such as masking strings in its code and only decrypting them briefly in memory before erasing them. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.

Recommended read:
References :
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • research.checkpoint.com: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • www.esecurityplanet.com: Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • Blog: Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a sophisticated phishing campaign targeting European diplomatic entities. The attackers are using deceptive emails that mimic invitations to wine-tasting events, enticing recipients to download a malicious ZIP file named wine.zip.
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign