CyberSecurity news

FlagThis - #phishing

Nathaniel Morales@feeds.trendmicro.com //
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.

Recommended read:
References :
  • cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
  • www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
  • darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025

Stu Sjouwerman@blog.knowbe4.com //
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.

Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies.

The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers.

Recommended read:
References :
  • blog.knowbe4.com: Toll-themed smishing attacks surge in US and UK
  • The Hacker News: Cybersecurity researchers are warning of a widespread and ongoing SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • ciso2ciso.com: Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • krebsonsecurity.com: Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.
  • The DefendOps Diaries: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States
  • ciso2ciso.com: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States – Source:thehackernews.com
  • www.scworld.com: Massive ongoing US toll fraud underpinned by Chinese smishing kit

Zeljka Zorz@Help Net Security //
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.

Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes.

The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.

Recommended read:
References :
  • Check Point Research: CVE-2025-24054, NTLM Exploit in the Wild
  • The DefendOps Diaries: Understanding the CVE-2025-24054 Vulnerability: A Critical Threat to Windows Systems
  • BleepingComputer: Windows NTLM hash leak flaw exploited in phishing attacks on governments
  • bsky.app: Windows NTLM hash leak flaw exploited in phishing attacks on governments
  • research.checkpoint.com: CVE-2025-24054, NTLM Exploit in the Wild
  • Talkback Resources: Research team analysis of CVE-2025-24054
  • Help Net Security: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
  • www.helpnetsecurity.com: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
  • bsky.app: BSky Post on CVE-2025-24054, NTLM Exploit in the Wild
  • Cyber Security News: CyberSecurityNews - Hackers Exploiting Windows NTLM Spoofing Vulnerability in Wild to Compromise Systems
  • The Hacker News: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
  • MSSP feed for Latest: Windows NTLM Hash Flaw Targeted in Global Phishing Attacks
  • gbhackers.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.
  • infosecwriteups.com: Your NTLM Hashes at Risk: Inside CVE‑2025‑24054
  • BetaNews: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
  • www.scworld.com: Cybersecurity News reports on alarms sounding over attacks via Microsoft NTLM vulnerability, impacting Poland and Romania.
  • securityaffairs.com: U.S. CISA adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog
  • gbhackers.com: CISA Warns of Active Exploitation of Windows NTLM Vulnerability
  • Techzine Global: Windows vulnerability with NTLM hash abuse exploited for phishing
  • betanews.com: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
  • ciso2ciso.com: Fresh Windows NTLM Vulnerability Exploited in Attacks – Source: www.securityweek.com
  • malware.news: Phishing campaigns abuse Windows NTLM hash leak bug

info@thehackernews.com (The@The Hacker News //
APT29, a Russian state-sponsored hacking group also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The group is using deceptive emails disguised as invitations to wine-tasting events to entice recipients into downloading a malicious ZIP file. This archive, often named "wine.zip," contains a legitimate PowerPoint executable alongside malicious DLL files designed to compromise the victim's system. These campaigns appear to focus primarily on Ministries of Foreign Affairs, as well as other countries' embassies in Europe, with indications suggesting that diplomats based in the Middle East may also be targets.

The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems.

GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com.

Recommended read:
References :
  • Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
  • BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
  • bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
  • blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
  • cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
  • research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
  • Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
  • cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
  • www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
  • Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
  • Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
  • securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
  • securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
  • www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
  • Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
  • The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
  • www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
  • Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
  • Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • www.esecurityplanet.com: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com

Pierluigi Paganini@securityaffairs.com //
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.

ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks.

Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms
  • The Hacker News: The Hacker News: ResolverRAT Campaign Targets Healthcare, Pharma via Phishing and DLL Side-Loading
  • BleepingComputer: BleepingComputer: New ResolverRAT malware targets pharma and healthcare orgs worldwide
  • ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
  • ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
  • bsky.app: A new remote access trojan (RAT) called 'ResolverRAT' is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors.
  • Anonymous ???????? :af:: ResolverRAT is hitting healthcare and pharma sectors hard — phishing, fear-bait, stealth attacks.
  • industrialcyber.co: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
  • Industrial Cyber: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
  • www.scworld.com: Novel ResolverRAT trojan launched in global attacks against healthcare, pharma
  • Tech Monitor: Researchers identify new ResolverRAT cyber threat affecting global healthcare organisations
  • Security Risk Advisors: 🚩 ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
  • www.morphisec.com: ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
  • www.csoonline.com: New ResolverRAT malware targets healthcare and pharma orgs worldwide
  • Virus Bulletin: Morphisec's Nadav Lorber analyses ResolverRAT, a newly identified remote access trojan that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques.
  • securityonline.info: A new remote access trojan (RAT) has emerged, and it’s armed with advanced techniques to evade detection. Morphisec The post appeared first on .
  • Blog: New ResolverRAT sniffs around healthcare & pharmaceutical organizations

Stu Sjouwerman@blog.knowbe4.com //
A widespread smishing campaign targeting toll road users across the United States has been uncovered by cybersecurity researchers. The campaign, active since October 2024, involves attackers sending fraudulent SMS messages claiming that victims owe small amounts, typically under $5, for unpaid tolls. These messages warn of late fees and redirect recipients to spoofed websites designed to mimic legitimate toll service platforms like E-ZPass. The goal is to steal sensitive user information, including personal details and credit card information.

These fraudulent websites prompt victims to solve a fake CAPTCHA before being redirected to a webpage displaying a fabricated bill. The bill includes the victim’s name and warns of a $35 late payment fee, urging them to proceed with payment. Once victims click “Proceed Now,” they are taken to another fake page where they are asked to provide personal details such as their name, address, phone number, and credit card information. This data is then stolen by the threat actors. The campaign spans at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing state-specific abbreviations observed in the SMS messages.

Cisco Talos attributes this campaign to multiple financially motivated threat actors using smishing kits developed by an individual known as “Wang Duo Yu.” These kits have been previously linked to large-scale smishing attacks targeting mail services like USPS and financial institutions. Wang Duo Yu operates several Telegram channels and forums promoting smishing kits and offering tutorials on phishing techniques. His kits are priced between $20 and $50 depending on the features and support provided. The typosquatted domains used in the campaign resolve to specific IP addresses: 45[.]152[.]115[.]161, 82[.]147[.]88[.]22, and more recently 43[.]156[.]47[.]209.

Recommended read:
References :

@cyberalerts.io //
The Tycoon2FA Phishing-as-a-Service (PhaaS) platform, notorious for its ability to bypass multi-factor authentication (MFA) on Microsoft 365 and Gmail accounts, has been updated with new techniques designed to evade detection. This phishing kit targets Microsoft 365 users with advanced methods to slip past endpoint and security protections. These updates enhance the kit's stealth capabilities, posing a significant threat to organizations relying on MFA for security.

New evasion techniques have been implemented, including the use of invisible Unicode characters to conceal binary data within JavaScript. This method allows the payload to be decoded and executed during runtime while avoiding static pattern-matching analysis. Tycoon2FA also employs a custom CAPTCHA rendered via HTML5 canvas and anti-debugging scripts to further complicate analysis and delay script execution, making it difficult for security systems to identify and block the phishing attempts.

The Tycoon2FA phishing kit utilizes Adversary-in-the-Middle (AiTM) tactics to intercept communications between users and legitimate services, capturing session cookies to bypass MFA protections. This allows attackers to gain unauthorized access even if credentials are changed, because the captured session cookies circumvent MFA access controls during subsequent authentication attempts. The improvements made to the Tycoon2FA kit highlight the increasing sophistication of phishing campaigns and the importance of implementing advanced security measures to protect against these evolving threats.

Recommended read:
References :
  • cyberpress.org: Tycoon 2FA Phishing Kit Deploys New Tactics to Bypass Endpoint Detection Systems
  • gbhackers.com: Tycoon 2FA Phishing Kit Uses Advanced Evasion Techniques to Bypass Endpoint Detection Systems
  • The DefendOps Diaries: Understanding and Mitigating the Tycoon2FA Phishing Threat
  • www.bleepingcomputer.com: Tycoon2FA phishing kit targets Microsoft 365 with new tricks
  • SpiderLabs Blog: Tycoon2FA New Evasion Technique for 2025
  • Cyber Security News: The Tycoon 2FA phishing kit has undergone a significant evolution in its tactics, introducing sophisticated evasion techniques to bypass endpoint detection systems and scrutiny from analysts.
  • BleepingComputer: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
  • www.bleepingcomputer.com: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
  • Daily CyberSecurity: A recent report by SentinelLABS sheds light on a sophisticated phishing-as-a-service (PhaaS) operation called Tycoon 2FA, known for targeting Microsoft 365 and Gmail accounts while bypassing multi-factor authentication (MFA).
  • securityaffairs.com: SecurityAffairs article on Tycoon2FA phishing kit rolling out significant updates
  • www.scworld.com: SCWorld brief on Stealthier Tycoon2FA phishing kit appearing as PhaaS platforms fueling SVG exploitation
  • www.scworld.com: Tycoon 2FA phishing kit adds stealth, expands to mobile devices

@www.silentpush.com //
A China-based eCrime group known as the Smishing Triad has expanded its operations, targeting users across more than 121 countries with sophisticated SMS phishing campaigns. Originally focused on impersonating toll road operators and shipping companies, the group has now pivoted to directly target customers of international financial institutions. This expansion is accompanied by a dramatic increase in their cybercrime infrastructure and support staff, signaling a significant escalation in their activities. The group's operations span a diverse range of industries, including postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

The Smishing Triad's infrastructure is vast, utilizing over 8,800 unique IP addresses and stretching across more than 200 Autonomous System Numbers (ASNs). Recent data from server logs analyzed by Silent Push reveal that the group's infrastructure has been highly active, with over one million page visits logged in just 20 days. This suggests that the actual number of SMS phishing messages sent may be significantly higher than the previously estimated 100,000 per day. A large portion of the group's phishing sites are hosted by major Chinese companies, Tencent and Alibaba, indicating a strong connection to Chinese cyberspace.

The group's latest tactic involves the introduction of the "Lighthouse" phishing kit, unveiled on a Telegram channel by the developer identified as Wang Duo Yu. This kit targets numerous financial institutions, particularly in Australia and the broader Asia-Pacific region, as well as major Western financial institutions like PayPal, Mastercard, and HSBC. The Lighthouse kit boasts advanced features such as one-click setup, real-time synchronization, and mechanisms to bypass multiple layers of security like OTP, PIN, and 3DS verification, making it a formidable tool for stealing banking credentials. Smishing Triad boasts it has “300+ front desk staff worldwide” supporting the Lighthouse kit, and continues to sell its phishing kits to other threat actors via Telegram.

Recommended read:
References :
  • bsky.app: SilentPush has published a profile of Chinese cybercrime group Smishing Triad. The group is massive, with operations across 121 countries.
  • krebsonsecurity.com: China-based SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.
  • cyberpress.org: A prevalent Chinese cybercrime group, dubbed Smishing Triad, has launched an extensive global cyberattack, targeting users in over 120 countries through sophisticated phishing campaigns.
  • gbhackers.com: Smishing Triad, a Chinese eCrime group, has launched an extensive operation targeting users across more than 121 countries. This campaign, primarily focused on stealing banking credentials, has evolved to include diverse industries, from postal and logistics to finance and retail sectors.
  • gbhackers.com: Smishing Triad, a Chinese eCrime group, has launched an extensive operation targeting users across more than 121 countries.
  • Cyber Security News: Chinese eCrime Group Launches Global Attack to Steal Banking Credentials from Users in 120+ Countries
  • securityonline.info: Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing

@www.silentpush.com //
A China-based eCrime group known as the Smishing Triad has expanded its operations, targeting users across more than 121 countries with sophisticated SMS phishing campaigns. Originally focused on impersonating toll road operators and shipping companies, the group has now pivoted to directly target customers of international financial institutions. This expansion is accompanied by a dramatic increase in their cybercrime infrastructure and support staff, signaling a significant escalation in their activities. The group's operations span a diverse range of industries, including postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

The Smishing Triad's infrastructure is vast, utilizing over 8,800 unique IP addresses and stretching across more than 200 Autonomous System Numbers (ASNs). Recent data from server logs analyzed by Silent Push reveal that the group's infrastructure has been highly active, with over one million page visits logged in just 20 days. This suggests that the actual number of SMS phishing messages sent may be significantly higher than the previously estimated 100,000 per day. A large portion of the group's phishing sites are hosted by major Chinese companies, Tencent and Alibaba, indicating a strong connection to Chinese cyberspace.

The group's latest tactic involves the introduction of the "Lighthouse" phishing kit, unveiled on a Telegram channel by the developer identified as Wang Duo Yu. This kit targets numerous financial institutions, particularly in Australia and the broader Asia-Pacific region, as well as major Western financial institutions like PayPal, Mastercard, and HSBC. The Lighthouse kit boasts advanced features such as one-click setup, real-time synchronization, and mechanisms to bypass multiple layers of security like OTP, PIN, and 3DS verification, making it a formidable tool for stealing banking credentials. Smishing Triad boasts it has “300+ front desk staff worldwide” supporting the Lighthouse kit, and continues to sell its phishing kits to other threat actors via Telegram.

Recommended read:
References :
  • krebsonsecurity.com: China-based SMS Phishing Triad Pivots to Banks - Krebs on Security
  • www.silentpush.com: Silent Push blog on Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
  • gbhackers.com: GBHackers article on Smishing Triad
  • Cyber Security News: CyberPress report on Chinese eCrime Group Launches Global Attack to Steal Banking Credentials from Users in 120+ Countries
  • securityonline.info: Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing
  • Security Latest: Smishing Triad: The Scam Group Stealing the World’s Riches

Stu Sjouwerman@blog.knowbe4.com //
Cisco Talos has uncovered an extensive and ongoing SMS phishing campaign that began in October 2024, targeting toll road users across the United States. The "Smishing Triad," a China-based eCrime group, is suspected to be behind these attacks, impersonating E-ZPass and other U.S. toll agencies to steal financial information. Victims receive fraudulent text messages claiming they have an outstanding toll bill, typically under $5, and are urged to pay immediately to avoid late fees. These messages prompt users to click on a link that leads to a spoofed domain mimicking the legitimate toll service's website.

Once on the fake webpage, victims are asked to solve a CAPTCHA before being directed to a fraudulent bill displaying their name and the supposed amount owed. Upon clicking "Proceed Now," users are prompted to enter personal information, including their name, address, phone number, and credit card details, which are then stolen by the threat actors. Talos assesses with moderate confidence that multiple financially motivated threat actors are involved, utilizing a smishing kit developed by "Wang Duo Yu." The actors have targeted individuals in at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing the states' two-letter abbreviations.

The Smishing Triad, known for systematically targeting organizations in at least 121 countries across various industries, has shown remarkable success in converting phished payment card data into mobile wallets from Apple and Google. Silent Push analysts have found that the group's infrastructure generated over one million page visits in just 20 days, suggesting a potentially higher volume of SMS messages sent than previously estimated. The group continues to sell its phishing kits via Telegram and other channels. Authorities, including the FBI's IC3, have been aware of similar scams since at least April 2024, highlighting the persistent and evolving nature of these phishing campaigns.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • Blog: A recent smishing campaign is impersonating E-ZPass and other U.S.-based toll agencies and sending fraudulent text messages to individuals. These messages claim that recipients have unpaid tolls and urge immediate payment to avoid penalties or suspension of driving privileges.
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • krebsonsecurity.com: China-based SMS phishing Triad Pivots to Banks
  • www.silentpush.com: Smishing Triad is a Chinese eCrime group systematically targeting organizations in at least 121 countries with SMS phishing “smishing†campaigns.

@Talkback Resources //
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.

Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone.

Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace.

Recommended read:
References :
  • Talkback Resources: Scattered Spider adds new phishing kit, malware to its web
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
  • cyberpress.org: Article on conducting advances campaigns to steal login credentials and MFA tokens
  • gbhackers.com: The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as Scattered Spider. Active since at least 2022, this group has been consistently refining its strategies for system compromise, data exfiltration, and identity theft. Silent Push analysts have tracked the evolution of Scattered Spider’s tactics, techniques, and procedures (TTPs) through early
  • cybersecuritynews.com: Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens
  • gbhackers.com: Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens

Mandvi@Cyber Security News //
Netskope Threat Labs has uncovered a new evasive campaign that uses fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader malware. This sophisticated attack targets individuals searching for PDF documents online, tricking them into downloading malware that installs a malicious browser extension. This extension is designed to steal sensitive user data. The campaign has been active since February 2025 and has impacted over 140 customers.

The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer.

Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications.

Recommended read:
References :
  • Cyber Security News: LegionLoader Delivered Through Fake CAPTCHAs and Abused Cloudflare Turnstile by Threat Actors
  • cybersecuritynews.com: Threat Actors Using Fake CAPTCHAs and CloudFlare Turnstile to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Virus Bulletin: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.
  • securityonline.info: New Evasive Campaign Uses Fake CAPTCHAs to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Threat Labs - Netskope: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.

info@thehackernews.com (The@The Hacker News //
A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.

PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack.

Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise.

Recommended read:
References :
  • Cyber Security News: The campaign targets individuals and organizations outside the cryptocurrency industry.
  • gbhackers.com: PoisonSeed uses advanced phishing techniques.
  • www.bleepingcomputer.com: Threat actors are leveraging compromised credentials.
  • securityonline.info: SecurityOnline.info - PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • Cyber Security News: A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
  • securityonline.info: Threat actors target email providers to provide infrastructure for cryptocurrency spam operations.
  • Security Risk Advisors: PoisonSeed Actors Hijack Bulk Email Services to Execute Cryptocurrency Seed Phrase Attacks