CyberSecurity news

FlagThis - #socialengineering

@gbhackers.com //

North Korean Hackers Exploit PowerShell Trick - The North Korea-linked APT group Kimsuky is tricking targets into running PowerShell as an administrator and executing malicious code, using a browser-based remote desktop tool for data exfiltration.
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.

If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.

Recommended read:
References :
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
  • The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
  • : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
  • www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
  • www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
  • www.scworld.com: PowerShell exploited in new Kimsuky intrusions
  • Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
  • The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
  • MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
  • securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
@cyberalerts.io //

ClickFix Attack Deploys Havoc C2 via SharePoint - A ClickFix phishing campaign tricks victims into deploying the Havok framework, using SharePoint and the Microsoft Graph API to hide malicious communications within trusted Microsoft services.
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.

The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host.

Recommended read:
References :
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • thehackernews.com: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites
  • BleepingComputer: BleepingComputer post about a new ClickFix phishing campaign.
  • Anonymous ???????? :af:: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Talkback Resources: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites [social] [mal]
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Virus Bulletin: Virus Bulletin covers campaign combining ClickFix & multi-stage malware to deploy a modified Havoc Demon Agent.
  • Email Security - Blog: Cyber security researchers have discovered a new and sophisticated cyber attack campaign that’s predicated on social engineering and remote access tool use.
Aman Mishra@gbhackers.com //

Hackers Exploit Teams and Quick Assist for Access - Threat actors are exploiting Microsoft Teams & Quick Assist for remote access, demonstrating a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks.
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.

Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures.

Recommended read:
References :
@techcrunch.com //

Insight Partners Investigates Data Breach After Cyberattack - Venture capital firm Insight Partners suffered a cyberattack involving unauthorized access to its information systems through a sophisticated social engineering scheme on January 16, 2025.
New York-based venture capital and private equity firm Insight Partners has disclosed a security breach of its systems. The firm, which manages over $90 billion in regulatory assets and has invested in over 800 software and technology startups globally over the past 30 years, revealed that the incident occurred in January. The breach involved unauthorized access to its information systems following what they are calling "a sophisticated social engineering attack."

Insight Partners confirmed that the attack took place on January 16, 2025. The company has taken steps to address the situation, notifying law enforcement in relevant jurisdictions and engaging third-party cybersecurity experts to investigate the full scope and impact of the breach. The investigation is ongoing to determine the extent of data exposure and to implement measures to prevent future incidents.

Recommended read:
References :
  • cyberinsider.com: Insight Partners Investigates Data Breach Following Cyberattack
  • BleepingComputer: New York-based venture capital firm Insight Partners has disclosed that its systems were breached
  • techcrunch.com: VC giant Insight Partners confirms a January cyberattack
  • CyberInsider: Insight Partners Investigates Data Breach Following Cyberattack
  • securityaffairs.com: Venture capital firm Insight Partners discloses security breach
  • www.bleepingcomputer.com: Insight Partners hit by cyberattack
  • Carly Page: US-based VC giant Insight Partners has confirmed that hackers breached its systems in January.
  • aboutdfir.com: Insight Partners confirms cyberattack in January 2025, with unauthorized access to information systems.

Posts

Blogs

Research Tools