CyberSecurity news
FlagThis - #phishing
|
Nathaniel Morales@feeds.trendmicro.com
//
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.
Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver. The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.
Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies. The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers. Recommended read:
References :
Zeljka Zorz@Help Net Security
//
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.
Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes. The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
APT29, a Russian state-sponsored hacking group also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The group is using deceptive emails disguised as invitations to wine-tasting events to entice recipients into downloading a malicious ZIP file. This archive, often named "wine.zip," contains a legitimate PowerPoint executable alongside malicious DLL files designed to compromise the victim's system. These campaigns appear to focus primarily on Ministries of Foreign Affairs, as well as other countries' embassies in Europe, with indications suggesting that diplomats based in the Middle East may also be targets.
The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems. GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.
ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks. Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
References:
Cyber Security News
, gbhackers.com
,
A widespread smishing campaign targeting toll road users across the United States has been uncovered by cybersecurity researchers. The campaign, active since October 2024, involves attackers sending fraudulent SMS messages claiming that victims owe small amounts, typically under $5, for unpaid tolls. These messages warn of late fees and redirect recipients to spoofed websites designed to mimic legitimate toll service platforms like E-ZPass. The goal is to steal sensitive user information, including personal details and credit card information.
These fraudulent websites prompt victims to solve a fake CAPTCHA before being redirected to a webpage displaying a fabricated bill. The bill includes the victim’s name and warns of a $35 late payment fee, urging them to proceed with payment. Once victims click “Proceed Now,” they are taken to another fake page where they are asked to provide personal details such as their name, address, phone number, and credit card information. This data is then stolen by the threat actors. The campaign spans at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing state-specific abbreviations observed in the SMS messages. Cisco Talos attributes this campaign to multiple financially motivated threat actors using smishing kits developed by an individual known as “Wang Duo Yu.” These kits have been previously linked to large-scale smishing attacks targeting mail services like USPS and financial institutions. Wang Duo Yu operates several Telegram channels and forums promoting smishing kits and offering tutorials on phishing techniques. His kits are priced between $20 and $50 depending on the features and support provided. The typosquatted domains used in the campaign resolve to specific IP addresses: 45[.]152[.]115[.]161, 82[.]147[.]88[.]22, and more recently 43[.]156[.]47[.]209. Recommended read:
References :
@cyberalerts.io
//
The Tycoon2FA Phishing-as-a-Service (PhaaS) platform, notorious for its ability to bypass multi-factor authentication (MFA) on Microsoft 365 and Gmail accounts, has been updated with new techniques designed to evade detection. This phishing kit targets Microsoft 365 users with advanced methods to slip past endpoint and security protections. These updates enhance the kit's stealth capabilities, posing a significant threat to organizations relying on MFA for security.
New evasion techniques have been implemented, including the use of invisible Unicode characters to conceal binary data within JavaScript. This method allows the payload to be decoded and executed during runtime while avoiding static pattern-matching analysis. Tycoon2FA also employs a custom CAPTCHA rendered via HTML5 canvas and anti-debugging scripts to further complicate analysis and delay script execution, making it difficult for security systems to identify and block the phishing attempts. The Tycoon2FA phishing kit utilizes Adversary-in-the-Middle (AiTM) tactics to intercept communications between users and legitimate services, capturing session cookies to bypass MFA protections. This allows attackers to gain unauthorized access even if credentials are changed, because the captured session cookies circumvent MFA access controls during subsequent authentication attempts. The improvements made to the Tycoon2FA kit highlight the increasing sophistication of phishing campaigns and the importance of implementing advanced security measures to protect against these evolving threats. Recommended read:
References :
@www.silentpush.com
//
A China-based eCrime group known as the Smishing Triad has expanded its operations, targeting users across more than 121 countries with sophisticated SMS phishing campaigns. Originally focused on impersonating toll road operators and shipping companies, the group has now pivoted to directly target customers of international financial institutions. This expansion is accompanied by a dramatic increase in their cybercrime infrastructure and support staff, signaling a significant escalation in their activities. The group's operations span a diverse range of industries, including postal, logistics, telecommunications, transportation, finance, retail, and public sectors.
The Smishing Triad's infrastructure is vast, utilizing over 8,800 unique IP addresses and stretching across more than 200 Autonomous System Numbers (ASNs). Recent data from server logs analyzed by Silent Push reveal that the group's infrastructure has been highly active, with over one million page visits logged in just 20 days. This suggests that the actual number of SMS phishing messages sent may be significantly higher than the previously estimated 100,000 per day. A large portion of the group's phishing sites are hosted by major Chinese companies, Tencent and Alibaba, indicating a strong connection to Chinese cyberspace. The group's latest tactic involves the introduction of the "Lighthouse" phishing kit, unveiled on a Telegram channel by the developer identified as Wang Duo Yu. This kit targets numerous financial institutions, particularly in Australia and the broader Asia-Pacific region, as well as major Western financial institutions like PayPal, Mastercard, and HSBC. The Lighthouse kit boasts advanced features such as one-click setup, real-time synchronization, and mechanisms to bypass multiple layers of security like OTP, PIN, and 3DS verification, making it a formidable tool for stealing banking credentials. Smishing Triad boasts it has “300+ front desk staff worldwide” supporting the Lighthouse kit, and continues to sell its phishing kits to other threat actors via Telegram. Recommended read:
References :
@www.silentpush.com
//
A China-based eCrime group known as the Smishing Triad has expanded its operations, targeting users across more than 121 countries with sophisticated SMS phishing campaigns. Originally focused on impersonating toll road operators and shipping companies, the group has now pivoted to directly target customers of international financial institutions. This expansion is accompanied by a dramatic increase in their cybercrime infrastructure and support staff, signaling a significant escalation in their activities. The group's operations span a diverse range of industries, including postal, logistics, telecommunications, transportation, finance, retail, and public sectors.
The Smishing Triad's infrastructure is vast, utilizing over 8,800 unique IP addresses and stretching across more than 200 Autonomous System Numbers (ASNs). Recent data from server logs analyzed by Silent Push reveal that the group's infrastructure has been highly active, with over one million page visits logged in just 20 days. This suggests that the actual number of SMS phishing messages sent may be significantly higher than the previously estimated 100,000 per day. A large portion of the group's phishing sites are hosted by major Chinese companies, Tencent and Alibaba, indicating a strong connection to Chinese cyberspace. The group's latest tactic involves the introduction of the "Lighthouse" phishing kit, unveiled on a Telegram channel by the developer identified as Wang Duo Yu. This kit targets numerous financial institutions, particularly in Australia and the broader Asia-Pacific region, as well as major Western financial institutions like PayPal, Mastercard, and HSBC. The Lighthouse kit boasts advanced features such as one-click setup, real-time synchronization, and mechanisms to bypass multiple layers of security like OTP, PIN, and 3DS verification, making it a formidable tool for stealing banking credentials. Smishing Triad boasts it has “300+ front desk staff worldwide” supporting the Lighthouse kit, and continues to sell its phishing kits to other threat actors via Telegram. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
Cisco Talos has uncovered an extensive and ongoing SMS phishing campaign that began in October 2024, targeting toll road users across the United States. The "Smishing Triad," a China-based eCrime group, is suspected to be behind these attacks, impersonating E-ZPass and other U.S. toll agencies to steal financial information. Victims receive fraudulent text messages claiming they have an outstanding toll bill, typically under $5, and are urged to pay immediately to avoid late fees. These messages prompt users to click on a link that leads to a spoofed domain mimicking the legitimate toll service's website.
Once on the fake webpage, victims are asked to solve a CAPTCHA before being directed to a fraudulent bill displaying their name and the supposed amount owed. Upon clicking "Proceed Now," users are prompted to enter personal information, including their name, address, phone number, and credit card details, which are then stolen by the threat actors. Talos assesses with moderate confidence that multiple financially motivated threat actors are involved, utilizing a smishing kit developed by "Wang Duo Yu." The actors have targeted individuals in at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing the states' two-letter abbreviations. The Smishing Triad, known for systematically targeting organizations in at least 121 countries across various industries, has shown remarkable success in converting phished payment card data into mobile wallets from Apple and Google. Silent Push analysts have found that the group's infrastructure generated over one million page visits in just 20 days, suggesting a potentially higher volume of SMS messages sent than previously estimated. The group continues to sell its phishing kits via Telegram and other channels. Authorities, including the FBI's IC3, have been aware of similar scams since at least April 2024, highlighting the persistent and evolving nature of these phishing campaigns. Recommended read:
References :
@Talkback Resources
//
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.
Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone. Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace. Recommended read:
References :
Mandvi@Cyber Security News
//
Netskope Threat Labs has uncovered a new evasive campaign that uses fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader malware. This sophisticated attack targets individuals searching for PDF documents online, tricking them into downloading malware that installs a malicious browser extension. This extension is designed to steal sensitive user data. The campaign has been active since February 2025 and has impacted over 140 customers.
The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer. Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.
PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack. Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise. Recommended read:
References :
|