CyberSecurity news
FlagThis - #phishing
|
Michael Kan@PCMag Middle East ai
//
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.
This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data. Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps. Recommended read:
References :
@gbhackers.com
//
The Haozi Phishing-as-a-Service (PhaaS) platform has resurfaced, marking a concerning development in the cybercrime landscape. This Chinese-language operation distinguishes itself with its ease of use, comprehensive customer support, and a cartoon mouse mascot, lowering the barrier to entry for aspiring cybercriminals. Haozi provides a "plug-and-play" system, transforming complex phishing campaigns into point-and-click operations accessible to those with minimal technical expertise. The platform boasts a fully automated, web-based control panel, enabling users to manage multiple phishing campaigns, filter traffic, view stolen credentials, and fine-tune attack behavior.
Haozi's business model resembles legitimate software companies, offering a subscription plan and a-la-carte sales. Transactions are conducted using Tether (USDT), with the associated wallet having processed over $280,000 to date. The platform also monetizes the broader attack ecosystem by selling advertising space that connects buyers to third-party services such as SMS gateways. This allows Haozi to act as a middleman, generating revenue not only from phishing kits but also from ancillary services. According to reports, the Haozi platform immediately gained nearly 2,000 followers on Telegram after its initial community on the encrypted messaging app was dismantled. What sets Haozi apart is its fully automated installation process. Attackers simply input their server credentials into a hosted installation page, and the system automatically deploys a phishing site and admin dashboard, eliminating the need for command-line setup or server configuration. The kits themselves simulate real user experiences, with phishing templates mimicking bank verification and credit card prompts with response logic. For example, after capturing credit card details, the operator may decide to request a 2FA code based on the response received from a card transaction attempt. The resurgence of Haozi highlights the escalating threat presented by PhaaS networks and underscores the need for intensified cybersecurity training programs. Recommended read:
References :
@www.trustwave.com
//
Trustwave researchers have uncovered a large-scale phishing campaign where the Dadsec hacker group is exploiting the Tycoon2FA infrastructure to steal Office365 credentials. The Dadsec group, also known as Storm-1575, operates a Phishing-as-a-Service (PhaaS) platform and has been leveraging Tycoon2FA to target Microsoft 365 users since at least September 2023. This campaign demonstrates an evolution in phishing tactics, blending advanced evasion techniques with shared infrastructure, indicating a coordinated PhaaS ecosystem.
Recent investigations reveal a technical and operational overlap between Dadsec and Tycoon2FA, suggesting a convergence of methods. These campaigns typically lure victims with fake shared documents or urgent notifications that redirect them to carefully crafted phishing sites mimicking Microsoft's Office365 login page. The attacks employ advanced adversary-in-the-middle (AiTM) techniques, enabling attackers to intercept authentication flows, capture credentials, and bypass multi-factor authentication (MFA) protections by stealing session cookies. Detailed analysis reveals that domains used in both Dadsec and Tycoon2FA campaigns consistently employ infrastructure traceable to shared Autonomous System Numbers, notably AS19871. These domains, often featuring randomized alphanumeric strings and common top-level domains such as .RU, host custom PHP scripts like "res444.php," "cllascio.php," and ".000.php" integral to payload delivery. The Tycoon2FA kit is believed to be a direct evolution or clone of Dadsec, demonstrating a high degree of technical sophistication, using layered obfuscation and Cloudflare Turnstile integration. Recommended read:
References :
CyberNewswire@hackread.com
//
SquareX has released new threat research highlighting a sophisticated Fullscreen Browser-in-the-Middle (BitM) attack that targets Apple Safari users. This attack exploits a flaw in the browser's Fullscreen API, allowing attackers to create a convincing fullscreen window that mimics a legitimate login page. By using a remote browser, victims are tricked into interacting with an attacker-controlled browser via a pop-up window, divulging credentials and other sensitive information, thinking they are using a regular browser window. Mandiant has highlighted the increasing use of BitM attacks to steal credentials and gain unauthorized access to enterprise SaaS apps.
The Safari-specific implementation flaw uses the Fullscreen API to create a BitM window in fullscreen mode, concealing the suspicious URL from the parent window. Safari users are particularly vulnerable due to the lack of clear visual indicators when entering fullscreen mode, making it difficult to distinguish between a legitimate page and a fake one. Attackers can easily embed a fake login button within the pop-up window that triggers the Fullscreen API upon being clicked. The current Fullscreen API requires user interaction to trigger fullscreen mode, but it does not specify the type of interaction required. SquareX disclosed this vulnerability to Apple, but they were informed that there is no plan to address the issue. According to SquareX researchers, the Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the Fullscreen API. They emphasized that users could unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari, where the lack of clear fullscreen mode cues allows threat actors to steal user credentials stealthily. This exploit renders existing security solutions obsolete when it comes to detecting this type of BitM attack. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Cybercriminals are using a fake Bitdefender website to distribute the Venom RAT (Remote Access Trojan) and other malicious programs, tricking users into downloading what they believe is legitimate antivirus software. The spoofed domain, bitdefender-download[.]com, closely mimics the official Bitdefender site, making it difficult for unsuspecting users to distinguish between the real and fake versions. This campaign highlights the importance of verifying the legitimacy of software download sources to avoid becoming a victim of malware.
Researchers have found that clicking on the "Download for Windows" button on the fraudulent site initiates a file download from a Bitbucket repository that redirects to an Amazon S3 bucket. The downloaded ZIP archive, named "BitDefender.zip," contains an executable ("StoreInstaller.exe") which includes malware configurations associated with Venom RAT, as well as code related to the open-source post-exploitation framework SilentTrinity and StormKitty stealer. These tools work in concert to compromise user systems. The Venom RAT allows attackers to harvest data and maintain persistent remote access to compromised systems. Additionally, the StormKitty malware steals passwords, including those for cryptocurrency wallets, while SilentTrinity ensures the attacker can remain hidden and maintain long-term control. DomainTools suspects the fake Bitdefender site was likely used in phishing attacks, given its overlap with internet infrastructure hosting other fake sites impersonating banks and IT services, further emphasizing the malicious intent behind this cloned website. Recommended read:
References :
Puja Srivastava@Sucuri Blog
//
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.
The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views. Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns. Recommended read:
References :
MalBot@malware.news
//
References:
gbhackers.com
, infosecwriteups.com
,
A fraudulent website, digiyatra[.]in, is actively targeting Indian air travelers by impersonating the official DigiYatra Foundation. Threat actors are exploiting the trust placed in India's digital infrastructure by setting up this deceptive phishing site. The website, which remains live at the time of reporting, is designed to harvest personal user data under the guise of providing official services for air travelers, mirroring a legitimate flight booking portal with a flight search box and user forms requesting names, phone numbers, and email addresses.
Despite the appearance of a genuine booking platform, the website does not facilitate any actual ticket sales or transactions. Instead, its sole purpose is data harvesting, enticing users to input Personally Identifiable Information (PII) by imitating a legitimate service experience. The site uses a free SSL certificate from Let's Encrypt to enhance its perceived legitimacy, further deceiving unsuspecting users. The domain was registered under the name Ali Sajil from Kerala, India, and is accessible through both its domain name and IP address (167[.]172[.]151[.]164). The discovery of this phishing site poses significant risks, including unauthorized data collection, public deception, and potential reputational damage to the DigiYatra initiative. The site's ability to deceive users stems from its strategic use of keywords and the appearance of security through HTTPS. In response to this threat, ThreatWatch360 has taken immediate action, escalating the matter to CERT-In and submitting a takedown request to the domain registrar. Furthermore, alerts have been shared with brand protection clients, and monitoring for similar fraudulent attempts is ongoing, with DNS-level blocks advised for the domain and its IP address to prevent further abuse. Recommended read:
References :
Ddos@securityonline.info
//
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.
These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe. Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The FBI has issued a warning to U.S. law firms regarding an escalating cyber threat posed by the Silent Ransom Group (SRG), also known as Luna Moth or Chatty Spider. This group, active since 2022, has refined its tactics to target law firms specifically since early 2023, likely due to the valuable and confidential client data they possess. The group aims to gain unauthorized access to systems and devices in order to steal sensitive information and extort victims with threats of public data leaks.
SRG's methods include IT-themed social engineering calls and callback phishing emails. In these attacks, they impersonate IT personnel to deceive employees into granting remote access to systems. They may direct the employee to a malicious website or send a link via email that installs remote access software. Once inside, the attackers discreetly extract sensitive files using tools like WinSCP or disguised versions of Rclone. This campaign is particularly dangerous because it leaves minimal digital traces and can bypass traditional security measures. To defend against these attacks, the FBI urges law firms to enhance staff training to recognize and avoid social engineering tactics. Implementing multi-factor authentication is crucial, as is proactive monitoring for unauthorized access attempts. The agency also advises that victims share any ransom evidence with law enforcement to aid in investigations. Furthermore, CISOs are encouraged to fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy. Recommended read:
References :
Nicole Kobie@itpro.com
//
The FBI has issued a warning regarding a major fraud campaign where cybercriminals are using AI-generated audio deepfakes and text messages to impersonate senior U.S. government officials. This scheme, which has been active since April 2025, targets current and former federal and state officials, along with their contacts, aiming to gain access to their personal accounts. The attackers are employing tactics known as smishing (SMS phishing) and vishing (voice phishing) to establish rapport before attempting to compromise accounts, potentially leading to the theft of sensitive information or funds.
The FBI advises that if individuals receive a message claiming to be from a senior U.S. official, they should not assume it is authentic. The agency suggests verifying the communication through official channels, such as calling back using the official number of the relevant department, rather than the number provided in the suspicious message. Additionally, recipients should be wary of unusual verbal tics or word choices that could indicate a deepfake in operation. This warning comes amidst a surge in social engineering attacks leveraging AI-based voice cloning. A recent report indicated a 442% increase in the use of AI voice cloning between the first and second halves of 2024. Experts caution that the stolen credentials or information obtained through these schemes could be used to further impersonate officials, spread disinformation, or commit financial fraud, highlighting the increasing sophistication and potential damage of AI-enhanced fraud. Recommended read:
References :
Nicole Kobie@itpro.com
//
The FBI has issued a warning about a rise in scams targeting U.S. government officials. Cybercriminals are using AI-generated voice clones and text messages to impersonate senior officials. This campaign, which started in April 2025, aims to trick current and former federal and state officials, as well as their contacts, into divulging sensitive information or granting unauthorized access to accounts. These tactics are referred to as "smishing" (malicious SMS messages) and "vishing" (fraudulent voice calls). The FBI is advising the public that if you receive a message claiming to be from a senior U.S. official, do not assume it is authentic.
The attackers use AI to create realistic voice deepfakes, making it difficult to distinguish between real and fake messages. They also leverage publicly available data to make their messages more convincing, exploiting human trust to infiltrate broader networks. The FBI has found that one method attackers use to gain access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform. The use of AI-generated audio has increased sharply, as large language models have proliferated and improved their abilities to create lifelike audio. Once an account is compromised, it can be used in future attacks to target other government officials, their associates, and contacts by using trusted contact information they obtain. Stolen contact information acquired through social engineering schemes could also be used to impersonate contacts to elicit information or funds. The FBI advises that the scammers are using software to generate phone numbers that are not attributed to specific phones, making them more difficult to trace. Individuals should be vigilant and follow standard security advice, such as not trusting unsolicited messages and verifying requests through official channels. Recommended read:
References :
@cyberalerts.io
//
North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.
The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server. This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape. Recommended read:
References :
@securebulletin.com
//
References:
securebulletin.com
, securityonline.info
,
A new multi-platform malware campaign is targeting organizations in Southern Europe, specifically Spain, Italy, and Portugal, through sophisticated phishing emails. This campaign leverages weaponized PDF invoices to deliver a Java-based Remote Access Trojan (RAT) known as RATty. The attack begins with emails that bypass SPF/DKIM checks by abusing Spain's serviciodecorreo.es email service, allowing forged sender addresses to appear legitimate. The emails contain a PDF attachment mimicking an invoice from Medinova Health Group, enticing recipients to click a Dropbox link.
This link redirects victims to an HTML file (Fattura.html) that initiates a multi-stage verification process, including a fake CAPTCHA, to further deceive the user. The HTML file then utilizes Ngrok tunneling to dynamically switch content based on the victim's geolocation. If the request originates from Italy, the user is redirected to MediaFire to download a malicious Java Archive (JAR) file named FA-43-03-2025.jar. Users outside of Italy are redirected to benign Google Drive documents, effectively bypassing automated sandboxes typically hosted in cloud regions outside Italy. The final JAR file contains the RATty malware, a cross-platform Remote Access Trojan that exploits Java's capabilities to grant attackers extensive control over the compromised system. This includes remote command execution, keystroke logging, screenshot capture, and data exfiltration. The attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution. Organizations are advised to update endpoint protection tools to defend against this evolving phishing tactic. Recommended read:
References :
@cyberalerts.io
//
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.
Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain. The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems. Recommended read:
References :
@cyberpress.org
//
A joint investigation by SentinelLABS and Validin has exposed a massive cryptocurrency phishing operation named "FreeDrain." This industrial-scale network has been siphoning digital assets for years by exploiting weaknesses in free publishing platforms. FreeDrain utilizes aggressive SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, along with sophisticated layered redirection techniques to lure unsuspecting victims. The operation's primary goal is to steal cryptocurrency wallet login credentials and seed phrases, often resulting in rapid fund exfiltration.
FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials. Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Google is integrating its Gemini Nano AI model into the Chrome browser to provide real-time scam protection for users. This enhancement focuses on identifying and blocking malicious websites and activities as they occur, addressing the challenge posed by scam sites that often exist for only a short period. The integration of Gemini Nano into Chrome's Enhanced Protection mode, available since 2020, allows for the analysis of website content to detect subtle signs of scams, such as misleading pop-ups or deceptive tactics.
When a user visits a potentially dangerous page, Chrome uses Gemini Nano to evaluate security signals and determine the intent of the site. This information is then sent to Safe Browsing for a final assessment. If the page is deemed likely to be a scam, Chrome will display a warning to the user, providing options to unsubscribe from notifications or view the blocked content while also allowing users to override the warning if they believe it's unnecessary. This system is designed to adapt to evolving scam tactics, offering a proactive defense against both known and newly emerging threats. The AI-powered scam detection system has already demonstrated its effectiveness, reportedly catching 20 times more scam-related pages than previous methods. Google also plans to extend this feature to Chrome on Android devices later this year, further expanding protection to mobile users. This initiative follows criticism regarding Gmail phishing scams that mimic law enforcement, highlighting Google's commitment to improving online security across its platforms and safeguarding users from fraudulent activities. Recommended read:
References :
|