CyberSecurity news

FlagThis - #socialengineering

@blog.checkpoint.com //
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.

In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi.

The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access.

Recommended read:
References :
  • blog.checkpoint.com: Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
  • Resources-2: Tracking Scattered Spider Through Identity Attacks and Token Theft
  • Cloud Security Alliance: Scattered Spider: The Group Behind Major ESXi Ransomware Attacks
  • BrianKrebs: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • infosec.exchange: 3 teenagers aged 17-19 and a 20-year-old woman arrested in the UK this morning in connection with cyber attacks on Marks & Spencer (M&S) and Co-op retail chains in April-May this year
  • Zack Whittaker: New, by me: U.K. authorities have confirmed the arrest of four alleged hackers behind the recent U.K. retail hacking spree targeting Marks & Spencer, Harrods, and the Co-op earlier this year. The hackers are allegedly linked to Scattered Spider; one of the suspects is aged 17.
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • SecureWorld News: 4 Arrested in U.K. for Cyberattacks on Retail Tied to Scattered Spider
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • www.nationalcrimeagency.gov.uk: Report on the arrests of four individuals linked to the Scattered Spider hacking group for the cyberattacks on UK retailers.
  • The Register - Security: NCA arrests four in connection with UK retail ransomware attacks
  • krebsonsecurity.com: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • thecyberexpress.com: UK NCA Arrests Four in Cyberattacks on M&S, Co-op, and Harrods
  • HYPR Blog: Deconstructing the Gen-Z Hackers behind the £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • cyberscoop.com: UK arrests four for cyberattacks on major British retailers
  • Threats | CyberScoop: UK arrests four for cyberattacks on major British retailers
  • WIRED: 4 Arrested Over Scattered Spider Hacking Spree
  • blog.knowbe4.com: Alert from KnowBe4 about Scattered Spider targeting the aviation sector.
  • Metacurity: UK's NCA arrested four people for M&S, Co-Op cyberattacks
  • Risky.Biz: Four Key Players Drive Scattered Spider
  • Talkback Resources: UK charges four in Scattered Spider ransom group
  • TechInformed: Four people have been arrested as part of a National Crime Agency (NCA) investigation into cyberattacks targeting major UK retailers M&S, Harrods and Co-op.
  • Help Net Security: The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
  • hackread.com: UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods
  • securityaffairs.com: UK NCA arrested four people over M&S, Co-op cyberattacks
  • BleepingComputer: The UK's National Crime Agency (NCA) arrested four people suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.

@www.helpnetsecurity.com //
Russian hackers have found a way to bypass Gmail's multi-factor authentication (MFA) to conduct targeted attacks against academics and critics engaging with Russia discussions. According to Google Threat Intelligence Group (GTIG), the hackers are using stolen app passwords obtained through sophisticated and personalized social engineering attacks. These attacks involve posing as U.S. Department of State officials to build rapport with targets, eventually convincing them to create and share app-specific passwords.

App passwords are 16-digit codes that Google generates to allow certain apps or devices to access a Google Account, bypassing the usual second verification step of MFA. While useful for older or less secure apps that can't handle MFA, app passwords lack the extra layer of security, making them vulnerable to theft or phishing. In one instance, the attackers, tracked as UNC6293 and believed to be state-sponsored, contacted a target under the guise of a State Department representative, inviting them to a consultation in a private online conversation, further lending credibility by CCing four @state.gov accounts.

This campaign, which took place between April and early June, involved meticulously crafted phishing messages that didn't rush the target into immediate action. Instead, the hackers focused on building trust through personalized emails and invitations to private conversations, using spoofed '@state.gov' addresses in the CC field to build credibility. Keir Giles, a prominent British researcher on Russia, was one such target. Google's researchers uncovered the slow-paced nature attackers used to build rapports with their victims, often sending them personalized emails and inviting them to private conversations or meetings.

Recommended read:
References :
  • BleepingComputer: Russian hackers bypass Gmail MFA using stolen app passwords
  • Malwarebytes: Gmail’s multi-factor authentication bypassed by hackers to pull off targeted attacks
  • Help Net Security: Microsoft will start removing legacy drivers from Windows Update to improve driver quality for Windows users but, most importantly, to increase security, the company has announced.
  • www.techradar.com: Academics and critics engaging with Russia discussions are being targeted in email phishing campaign.

@cyberscoop.com //
Aflac Incorporated, the insurance giant, has confirmed a cybersecurity incident that occurred on June 12, 2025. The company detected suspicious activity on its US network and promptly initiated its cyber incident response protocols, successfully stopping the intrusion within hours. According to Aflac's official disclosure, their systems were not affected by ransomware, ensuring business operations such as underwriting, claims processing, and customer support remain uninterrupted. However, Aflac warns that sensitive customer information may have been exposed during the breach.

Preliminary findings indicate that the unauthorized party used sophisticated social engineering tactics to gain access to Aflac's network. This method often involves tricking individuals into revealing sensitive information or granting access. Aflac has engaged leading third-party cybersecurity experts to assist with the ongoing investigation. CNN, citing sources familiar with the investigation, reported that this incident, along with others recently affecting the insurance sector, is consistent with the techniques of a cybercrime group known as “Scattered Spider.” Aflac acknowledged the broader context of the attack, stating, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group."

The review of potentially impacted files is still in its early stages, and Aflac has not yet determined the total number of individuals affected. However, the company has indicated that the compromised files may contain sensitive information. The Aflac breach is the latest cyberattack against the insurance industry.

Recommended read:
References :
  • thecyberexpress.com: Aflac Reports Breach as Insurance Cyberattacks Grow
  • eSecurity Planet: Aflac Discloses Cybersecurity Incident, Customer Data Potentially Exposed Amid Industry-Wide Attacks
  • www.prnewswire.com: Aflac Incorporated Discloses Cybersecurity Incident
  • www.scworld.com: Aflac among victims in cyberattacks targeting US insurance industry
  • www.esecurityplanet.com: Aflac confirms a cyberattack exposed sensitive customer data, citing social engineering tactics amid a wave of breaches targeting US insurers.
  • techcrunch.com: US insurance giant Aflac says customers’ personal data stolen during cyberattack
  • techcrunch.com: U.S. insurance giant Aflac says customers’ personal data stolen during cyberattack
  • Dominic Alvieri: Mastodon post about Aflac data theft.

Michael Kan@PCMag Middle East ai //
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.

This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data.

Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps.

Recommended read:
References :
  • gbhackers.com: Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users
  • PCMag Middle East ai: 'BrowserVenom' Windows Malware Preys on Users Looking to Run DeepSeek AI
  • bsky.app: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legit installer for DeepSeek Victims are unwittingly downloading the "BrowserVenom" malware designed to steal stored credentials, session cookies, etc and gain access to cryptocurrency wallets
  • The Register - Software: DeepSeek installer or just malware in disguise? Click around and find out
  • Malware ? Graham Cluley: Malware attack disguises itself as DeepSeek installer
  • Graham Cluley: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legitimate installer for DeepSeek.
  • Securelist: Toxic trend: Another malware threat targets DeepSeek
  • www.pcmag.com: Antivirus provider Kaspersky traces the threat to malicious Google ads.
  • www.techradar.com: Fake DeepSeek website found serving dangerous malware instead of the popular app.
  • www.microsoft.com: Rewriting SymCrypt in Rust to modernize Microsoft’s cryptographic library
  • ASEC: Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
  • cyble.com: Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases

Tyler McGraw@Rapid7 Cybersecurity Blog //
The BlackSuit ransomware group is continuing its campaign of social engineering attacks, a tactic that cybersecurity experts believe they adopted from the Black Basta ransomware group. This shift in tactics comes after Rapid7 observed a significant decrease in social engineering attacks attributed to Black Basta since late December 2024, possibly indicating a change in Black Basta's operations due to internal conflicts or other factors. BlackSuit's persistence in employing social engineering highlights the ongoing threat landscape where ransomware groups readily adapt and evolve their methods to maximize their success in breaching target networks.

The social engineering tactics employed by BlackSuit echo those previously used by Black Basta, including email bombing and Microsoft Teams phishing. According to a report from ReliaQuest in June 2025, attackers have recently begun incorporating Python scripts alongside these techniques, utilizing cURL requests to retrieve and deploy malicious payloads. This demonstrates an increasing sophistication in their approach, aimed at establishing persistent access to targeted systems and evading traditional security measures. These attacks often masquerade as legitimate communications, such as help desk personnel, to trick unsuspecting users into divulging sensitive information or executing malicious code.

ReliaQuest's findings reveal that a substantial portion of Teams phishing attacks originated from onmicrosoft[.]com domains or breached domains, making it difficult to distinguish malicious traffic from legitimate network activity. The affected sectors include finance, insurance, and construction. This transition towards more sophisticated and stealthy methods poses a significant challenge to organizations, as they must enhance their detection capabilities to identify and mitigate these evolving threats effectively.

Recommended read:
References :
  • Rapid7 Cybersecurity Blog: BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict
  • BlackFog: BlackSuit Ransomware: How It Works and Who’s Behind It

djohnson@CyberScoop //
A sophisticated multi-stage malware campaign is exploiting the growing interest in AI video generation tools to distribute the Noodlophile information stealer. Cybercriminals are using social media platforms like Facebook and LinkedIn to post malicious ads that lure users to fake websites promising AI video generation services. These websites, designed to mimic legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI, instead deliver a range of malware including infostealers, Trojans, and backdoors. The campaign has been active since mid-2024, with thousands of malicious ads reaching millions of unsuspecting users.

The attackers, identified as the Vietnamese-speaking threat group UNC6032, utilize a complex infrastructure to evade detection. They constantly rotate the domains used in their ads and create new ads daily, using both compromised and newly created accounts. Once a user clicks on a malicious ad and visits a fake website, they are led through a deceptive process that appears to generate an AI video. However, instead of receiving a video, the user is prompted to download a ZIP file containing malware. Executing this file compromises the device, potentially logging keystrokes, scanning for password managers and digital wallets, and installing backdoors.

The malware deployed in this campaign includes the STARKVEIL dropper, which then deploys the XWorm and FROSTRIFT backdoors, and the GRIMPULL downloader. The Noodlophile stealer itself is designed to extract sensitive information such as login credentials, cookies, and credit card data, which is then exfiltrated through Telegram. Mandiant Threat Defense reports that these attacks have resulted in the theft of personal information and are concerned that the stolen data is likely sold on illegal online markets. Users are urged to exercise caution and verify the legitimacy of AI tools before using them.

Recommended read:
References :
  • www.pcrisk.com: Noodlophile Stealer Removal Guide
  • Malwarebytes: Cybercriminals are using text-to-video-AI tools to lure victims to fake websites that deliver malware like infostealers and Trojans.
  • hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
  • PCMag UK security: Cybercriminals are capitalizing on interest in AI video tools by posting malware-laden ads on Facebook and LinkedIn, according to Google's thread intelligence unit.
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
  • The Register - Security: Millions may fall for it - and end up with malware instead A group of miscreants tracked as UNC6032 is exploiting interest in AI video generators by planting malicious ads on social media platforms to steal credentials, credit card details, and other sensitive info, according to Mandiant.
  • cloud.google.com: Google Threat Intelligence Group (GTIG) assesses UNC6032 to have a Vietnam nexus.
  • Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
  • CustomGPT: Primary Actor : Vietnamese-speaking threat group UNC6032 Campaign Scale : Over 2.3 million users targeted in EU region alone Distribution Method : Social media advertising (Facebook, LinkedIn) and fake AI platforms Infrastructure : 30+ registered domains with 24-48 hour rotation cycles Targeted Platforms Impersonated Legitimate Service Luma AI Canva Dream Lab Kling AI Dream Machine
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • Vulnerable U: Fake AI Video Generators Deliver Rust-Based Malware via Malicious Ads
  • Cisco Talos Blog: Cybercriminals camouflaging threats as AI tool installers
  • Graham Cluley: LinkedIn is littered with links to lurking infostealers, disguised as AI video tools
  • blog.talosintelligence.com: Cisco Talos Uncovers Multiple Malware Families Disguised as Legitimate AI Tool Installers
  • bsky.app: LinkedIn is littered with links to lurking infostealers, disguised as AI video tools

djohnson@CyberScoop //
A Vietnam-based cybercriminal group, identified as UNC6032, is exploiting the public's fascination with AI to distribute malware. The group has been actively using malicious advertisements on platforms like Facebook and LinkedIn since mid-2024, luring users with promises of access to popular prompt-to-video AI generation tools such as Luma AI, Canva Dream Lab, and Kling AI. These ads direct victims to fake websites mimicking legitimate dashboards, where they are tricked into downloading ZIP files containing infostealers and backdoors.

The multi-stage attack involves sophisticated social engineering techniques. The initial ZIP file contains an executable disguised as a harmless video file using Braille characters to hide the ".exe" extension. Once executed, this binary, named STARKVEIL and written in Rust, unpacks legitimate binaries and malicious DLLs to the "C:\winsystem\" folder. It then prompts the user to re-launch the program after displaying a fake error message. On the second run, STARKVEIL deploys a Python loader called COILHATCH, which decrypts and side-loads further malicious payloads.

This campaign has impacted a wide range of industries and geographic areas, with the United States being the most frequently targeted. The malware steals sensitive data, including login credentials, cookies, credit card information, and Facebook data, and establishes persistent access to compromised systems. UNC6032 constantly refreshes domains to evade detection, and while Meta has removed many of these malicious ads, users are urged to exercise caution and verify the legitimacy of AI tools before using them.

Recommended read:
References :
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • The Register - Security: GO The Register reports that miscreants are using text-to-AI-video tools and Facebook ads to distribute malware and steal credentials.
  • PCMag UK security: Warning AI-Generated TikTok Videos Want to Trick You Into Installing Malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • cloud.google.com: Google's Threat Intelligence Unit, Mandiant, reported that social media platforms are being used to distribute malware-laden ads impersonating legitimate AI video generator tools.
  • Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
  • hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
  • www.techradar.com: Millions of users could fall for fake Facebook ad for a text-to-AI-video tool that is just malware
  • CyberInsider: CyberInsider: Cybercriminals Use Fake AI Video Tools to Deliver Infostealers
  • Metacurity: Metacurity for a concise rundown of the most critical developments you should know, including UNC6032 uses prompt-to-video AI tools to lure malware victims
  • PCMag UK security: Cybercriminals have been posting Facebook ads for fake AI video generators to distribute malware, Google’s threat intelligence unit Mandiant .
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • hackread.com: Fake ChatGPT and InVideo AI Downloads Deliver Ransomware
  • PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
  • Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
  • ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
  • aboutdfir.com: Google warns of Vietnam-based hackers using bogus AI video generators to spread malware
  • BleepingComputer: Cybercriminals exploit AI hype to spread ransomware, malware
  • www.pcrisk.com: Novel infostealer with Vietnamese attribution
  • ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools – Source:thehackernews.com
  • securityonline.info: Warning: Fake AI Tools Spread CyberLock Ransomware and Numero Destructive Malware
  • Vulnerable U: Fake AI Video Generators Deliver Rust-Based Malware via Malicious Ads Analysis of UNC6032’s Facebook and LinkedIn ad blitz shows social-engineered ZIPs leading to multi-stage Python and DLL side-loading toolkits
  • oodaloop.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
  • OODAloop: Artificial intelligence tools are being used by cybercriminals to target users and propagate threats. The CyberLock and Lucky_Gh0$t ransomware families are some of the threats involved in the operations. The cybercriminals are using fake installers for popular AI tools like OpenAI’s ChatGPT and InVideoAI to lure in their victims.
  • bsky.app: LinkedIn is littered with links to lurking infostealers, disguised as AI video tools Deceptive ads for AI video tools posted on LinkedIn and Facebook are directing unsuspecting users to fraudulent websites, mimicking legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI.
  • bgr.com: AI products that sound too good to be true might be malware in disguise
  • Security Risk Advisors: Cisco Talos Uncovers Multiple Malware Families Disguised as Legitimate AI Tool Installers
  • blog.talosintelligence.com: Cisco Talos discovers malware campaign exploiting #AI tool installers. #CyberLock #ransomware #Lucky_Gh0$t & new "Numero" malware disguised as legitimate AI installers.
  • cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
  • phishingtackle.com: Hackers Exploit TikTok Trends to Spread Malware Via ClickFix
  • gbhackers.com: Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware