This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

LNK Malware Strategies: Surge in Shortcut File Attacks 

Unit 42 has detected a significant uptick in malicious use of Windows shortcut (LNK) files, with infections rising from approximately 21,100 in 2023 to over 68,400 in 2024. Their in-depth analysis of 30,000 samples highlights how attackers exploit the flexibility of LNK files to execute malware via four main techniques: exploit execution, file-on-disk execution, in-argument scripts, and overlay content. 

Key Insights: 

• Exploit Delivery: Malicious LNK files leverage OS vulnerabilities to trigger payload execution directly when folders are opened. 

• File Execution: Attackers use LNK shortcuts to launch hidden executables or scripts residing on disk. 

• In-Argument Scripts: LNK files embed commands within their arguments, often invoking PowerShell or cmd.exe with encoded scripts for stealthy execution. 

• Overlay Payloads: Hidden payloads are appended to LNK files, with execution triggered via utilities like findstr, mshta, or PowerShell to extract and run embedded code. 

Between March and April 2025, the rapid expansion in campaigns underscores the need for caution around downloading or opening unknown LNK files, especially those received via email or untrusted sources. 

Further Reading: Unit 42 

BERT Ransomware Hits Asia & Europe Across Multiple Platforms 

Trend Micro researchers have identified BERT, a newly emerged ransomware group targeting organizations in Asia, Europe, and the U.S.—notably within healthcare, technology, and event services sectors. First observed in April 2025, BERT operates across both Windows and Linux environments and stands out for its streamlined execution and powerful impact despite a relatively simple codebase. 

Key Insights: 

• Multi‑Platform Reach: BERT deploys across Windows and Linux systems. Windows attacks disable security tools and escalate privileges via PowerShell, while Linux variants operate with high parallelization—encrypting up to 50 threads and forcibly shutting down ESXi virtual machines to maximize impact. 

• Efficient Encryption Tactics: The ransomware halts critical processes, encrypts files quickly using AES, appends a .encrypted_by_bert extension, and drops ransom notes immediately. 

• Active Development & Russian Code Artifacts: Multiple variants have been identified, with code including Russian-language comments and hosted on Russian infrastructure—raising potential attribution links to Russia-aligned threat actors. 

• REvil Code Lineage: Analysts note similarities to the Linux variant of the now-dismantled REvil ransomware, suggesting BERT may be built using its leaked codebase. 

Further Reading: Trend Micro Research 

NordDragonScan: A Stealthy Data‑Harvester Targeting Windows 

FortiGuard Labs recently uncovered NordDragonScan, a covert Windows infostealer silently dropped via HTA scripts. Once executed, the malware harvests documents, full browser profiles, screenshots, system details, and even network inventory before exfiltrating everything to a command-and-control server. Installation begins through deceptive RAR archives and LNK files that trigger mshta.exe, concealing activity behind a decoy Ukrainian-language document. 

Key Insights: 

• Begins with a weaponized HTA dropped by a malicious LNK shortcut, leading to an invisible PowerShell installation of the payload. 

• NordDragonScan performs deep data collection, including documents (.docx, .pdf, .xls), screenshots, Chrome and Firefox history, system and network details. 

• Persistence is established via a Run-key registry entry; C2 communication occurs over TLS using custom headers (e.g. MAC-based user-agent). 

• Targets local network hosts for broader reconnaissance and evades static detection through string obfuscation and hidden executable tactics. 

Further Reading: Fortinet 

June 2025 Malware Spotlight: Discord Exploits Rise 

Check Point Research’s June 2025 malware spotlight reveals an escalating threat vector: hijacked Discord invite links. Attackers are exploiting expired or deleted invite codes—especially vanity URLs—to redirect users into malicious servers. Over 1,300 victims globally have been impacted, with malware like AsyncRAT and Skuld Stealer delivered via trusted platforms such as GitHub, Pastebin, and Bitbucket. 

Key Insights: 

• Hijacking Trusted Links: Threat actors reclaim expired or custom Discord invite links to lure users into malicious servers. 

• ClickFix Social Engineering: Victims encounter fake verification bots that execute clipboard injections and PowerShell commands. 

• Stealthy Delivery Chain: Malware is deployed in multiple stages using trusted cloud services to evade detection. 

• Widespread Impact: The campaign has affected users in the U.S., Vietnam, Germany, France, and the U.K., primarily targeting cryptocurrency users. 

Further Reading: Check Point Research 

Jasper Sleet: North Korean Remote IT Workers Use AI to Infiltrate Organizations 

Microsoft Threat Intelligence has identified a surge in activity from the North Korea-linked threat actor Jasper Sleet, formerly tracked as Storm‑0287. These operatives are exploiting remote work arrangements to embed themselves within organizations worldwide. Using AI tools to enhance fake identities, they are securing employment, gaining access to sensitive systems, and exfiltrating data to support North Korea’s strategic and financial objectives. 

Key Insights: 

• Jasper Sleet operatives use AI for facial and voice modification to impersonate real job seekers. 

• Fake identities are supported by fabricated credentials, doctored online profiles, and complicit facilitators. 

• The campaign targets a wide range of industries across North America, Europe, and Asia. 

• Over 3,000 accounts have been suspended due to links to this operation. 

• Common tactics include the use of residential IPs, remote access software, and resume laundering. 

Further Reading: Microsoft Security Blog 

Preventing ClickFix Attacks: A Critical Playbook 

Unit 42 outlines the growing prevalence of ClickFix social-engineering attacks—where users are duped into copying and executing malicious commands from deceptive web prompts. Given these attacks' reliance on clipboard manipulation and prompt hijacking (especially via PowerShell), defenders must adopt both technical and educational countermeasures. 

Key Insights: 

• Clipboard Monitoring Defenses: Alerts should trigger when suspicious commands are copied, especially PowerShell scripts; clipboard activity monitoring complements traditional endpoint detection measures. 

• Restricting Shell Execution: Limit or disable mshta.exe, PowerShell, and cmd.exe execution unless explicitly required—and particularly from web-origin contexts—to reduce attack success rates. 

• Harden User Prompts: Implement policies to disable or neuter clipboard/paste functionality in browser environments vulnerable to web-based injection prompts. 

• User Education is Key: Train users to recognize fake CAPTCHAs and unusual ‘copy-and-paste’ prompts. Clear guidance—such as “never paste commands into system prompts”—can disrupt the attack lifecycle. 

Further Reading: Unit 42 

RenderShock: Weaponizing Trust in File Rendering Pipelines 

Cybersecurity researchers at Cyfirma (with corroboration from IBM X-Force) have revealed a stealthy, zero-click attack strategy dubbed RenderShock. This sophisticated technique exploits passive file-rendering systems—like preview panes, metadata indexing, and sync clients—to discreetly trigger malicious activity without any user action. 

Key Insights: 

• Zero-Click Payloads: Attackers embed malicious logic into document metadata, file previews, or automation workflows that execute when files are merely indexed or previewed—not opened. 

• Multi-Vector Exploits: The framework targets diverse surfaces like Windows Explorer preview panes, macOS Quick Look, email client renderers, cloud sync tools, and antivirus scanners to activate payloads. 

• Stealth & Modularity: RenderShock uses simple evasion tactics—like executing reverse-shell macros or NTLM beaconing via UNC paths—and also advanced payloads such as dual-format polyglots, remote Office templates, and poisoned EXIF metadata. 

• Wide Impact Potential: Capabilities range from reconnaissance and credential harvesting to remote execution and lateral movement, all without requiring user interaction. 

• Defense Strategies: Mitigation relies on disabling preview/indexing features, sandboxing file handling, blocking SMB egress, monitoring unusual network activity from renderer processes, and simulating RenderShock techniques in red team exercises. 

Further Reading: Cyfirma 

Gemini Email Summary Phishing: Invisible Prompt Injection Risk 

A newly discovered vulnerability in Google’s Gemini for Workspace demonstrates how attackers can embed hidden instructions in emails—styled with invisible text—so that clicking “Summarize this email” invokes the malicious prompt. This can result in fake security alerts, phishing links, or fraudulent phone numbers appearing in AI-generated summaries. 

Key Insights: 

• Attackers hide directives using invisible HTML/CSS that Gemini parses but users can’t see. 

• Summarized messages may falsely warn of compromised accounts and urge recipients to click links or call numbers. 

• Because there are no obvious phishing signals (like attachments or visible links), these emails bypass typical threat detection. 

• Security teams should flag summaries containing urgent calls to action and train users to verify full email content. 

Further Reading: Bleeping Computer 

Deepfake It ‘til You Make It: The New AI Criminal Toolset 

Cybercriminals are increasingly exploiting deepfake technology to conduct fraud, extortion, and manipulation campaigns. Originally built for creative or entertainment purposes, AI-driven tools for generating fake audio, video, and images are now widely available and being misused to impersonate individuals and mislead organizations. 

Key Insights: 

• Democratized Deepfake Creation: Tools for generating synthetic media are now easy to use, enabling low-skilled actors to produce realistic forgeries. 

• CEO Fraud & Recruitment Exploits: Deepfake audio and video are being used to impersonate executives during meetings or to create fake candidate profiles in hiring scams. 

• KYC & Identity Fraud Risks: Attackers use deepfakes to bypass identity verification processes at banks and fintech platforms, facilitating account fraud. 

• Plug-and-Play Underground: Criminal communities are sharing deepfake tools, tutorials, and services, lowering the barrier to entry for would-be attackers. 

Further Reading: Trend Micro 

PoisonSeed Bypasses FIDO Keys Using Cross‑Device Sign‑In Trick 

Expel researchers uncovered a clever social engineering tactic used by the PoisonSeed campaign to neutralize FIDO hardware key protections. Instead of exploiting a technical flaw, attackers employ phishing pages and QR codes in a man-in-the-middle scenario that targets FIDO’s cross-device sign-in feature, fooling victims into granting access without physical key interaction. 

Key Insights: 

• A phishing website mimicking Okta captures login credentials and forwards them to the legitimate portal. 

• It then prompts a cross-device sign-in, displaying a QR code that, when scanned by the user, inadvertently authenticates the attacker. 

• No vulnerability in FIDO itself is exploited; attackers manipulate design workflows to bypass multi-factor authentication. 

• Although FIDO keys remain strong, this tactic bypasses them in real time without user awareness. 

• Organizations should monitor for unexpected cross-device login requests and consider options like requiring Bluetooth proximity or restricted registration policies. 

Further Reading: Expel 

SLOW#TEMPEST Malware Spotlight: Advanced Obfuscation Techniques Unveiled 

Unit 42 has analyzed a recent variant of the SLOW#TEMPEST malware campaign, revealing sophisticated obfuscation—such as dynamic jumps and indirect function calls—used by threat actors to hinder both static and dynamic analysis. 

Key Insights: 

• Control-Flow Obfuscation: The loader DLL uses runtime-calculated jumps (JMP RAX) to scramble execution paths, making conventional CFG analysis unreliable. 

• Indirect Calls: Instead of direct API calls, SLOW#TEMPEST employs dynamically resolved function pointers (CALL RAX), complicating detection of malicious functionality. 

• Emulation-Based Deobfuscation: Researchers successfully reversed obfuscation by emulating dynamic jumps and calls in IDA Pro, restoring visibility into the control flow and API usage. 

• Evasion of Sandboxes: These techniques prevent decompilers and automated sandboxes from recognizing malicious behavior, allowing the malware to remain hidden and active. 

• Detection Takeaway: Security teams should enhance defenses with emulation, behavioral telemetry, and control-flow integrity mechanisms to detect threats that evade traditional signature-based analysis. 

Further Reading: Unit 42 

Matanbuchus Malware Delivered via Microsoft Teams Calls 

Security researchers have alerted to a targeted campaign where attackers exploit Microsoft Teams voice calls—impersonating IT support—to remotely deploy Matanbuchus 3.0 malware. Victims are persuaded to use Windows Quick Assist, opening remote access doors. A PowerShell script then deploys a malicious ZIP package containing a side-loaded DLL loader, which initiates memory-resident infection without leaving obvious traces. 

Key Insights: 

• Social Engineering via Teams: Callers pose as IT personnel to earn trust and initiate remote-control sessions. 

• Quick Assist Abuse: Remote assistance tools are misused to bypass controls and execute malicious scripts. 

• In-Memory Loader: The malware uses PowerShell to unpack a DLL loader that sideloads the final payload without disk artifacts. 

• Advanced Evasion: Version 3.0 introduces Salsa20-based encryption, syscall usage to evade EDR hooks, and anti-sandbox mechanisms. 

• High-Risk Payload: Matanbuchus 3.0 can deploy additional threat tools like Cobalt Strike and ransomware, providing full system control. 

Further Reading: Bleeping Computer 

FileFix: A Social Engineering Evolution of ClickFix 

Check Point Research has uncovered FileFix, a new social engineering attack that refines the ClickFix method to trick users into executing malicious commands. Delivered through compromised or typo-squatted websites, FileFix prompts victims with a fake download link or “Fix” button—copying harmful PowerShell scripts to the clipboard. When users paste and run these snippets, the attacker gains system access through a stealthy, multi-stage infection chain. 

Key Insights: 

• FileFix uses clipboard hijacking to push malicious payloads via user-initiated paste actions. 

• Fake prompts mimic legitimate "fix" or software update buttons to build trust. 

• Infection unfolds in stages—from initial PowerShell downloaders to final payloads like AsyncRAT or remote access trojans. 

• This variation simplifies and accelerates command execution compared to previous ClickFix variants. 

• Detection requires user awareness and endpoint policies that block shell execution from clipboard content. 

Further Reading: Check Point Research 

Linkable Token Identifiers Now GA for Enhanced Identity Threat Detection 

Microsoft Entra ID has launched linkable token identifiers—a new capability that allows security teams to trace a user session across Microsoft 365 services (including Teams, SharePoint, Exchange Online, and Graph). Each session is now tagged with a Session ID (SID) and Unique Token Identifier (UTI), enabling precise correlation of all actions originating from a single authentication event across multiple workloads. 

Key Insights: 

• SID enables linkage of all access tokens and session activity from one login, while UTI uniquely identifies each issued token. 

• Security analysts can now trace attacker movements—such as lateral access, API usage, or mailbox actions—across services using unified session tracking. 

• This simplifies investigation workflows, reducing reliance on fragmented logs or inconsistent identifiers like IP addresses and device IDs. 

• SOCs using Defender XDR and Entra ID Protection can now map anomalous activity with greater accuracy and speed. 

Further Reading: Microsoft Entra Blog 

FBI & CISA Update on Tactics & Threats for Scattered Spider 

Critical infrastructure and commercial entities are urged to review CISA's updated joint advisory AA23‑320A (last revised July 29, 2025), detailing evolving tactics used by the Scattered Spider cybercriminal group. Known for preying on IT and help desk personnel, this financially motivated threat actor now combines social engineering, ransomware, and data extortion with sophisticated new techniques. 

Key Insights: 

• Scattered Spider continues targeting IT support channels using voice phishing (vishing), SMS phishing (smishing), and MFA fatigue attacks alongside SIM swapping to obtain access credentials. 

• Once inside, attackers repurpose legitimate remote-access and tunneling tools (e.g. TeamViewer, AnyDesk, Ngrok) instead of relying on malware, enabling stealthy and persistent access. 

• New variants like DragonForce ransomware are now being deployed as part of combined extortion operations (data theft + encryption). 

• In recent operations, actors have refined social engineering methods while rotating TTPs to evade detection and extend dwell time. 

• Updated mitigations emphasize phishing-resistant MFA, verifying helpdesk contacts out-of-band, limiting remote access tool use, and continuous validation of security controls against evolving attack behaviors. 

Further Reading: CISA Advisory AA23‑320A (Scattered Spider) 

Phishing Trends Q2 2025: Microsoft at the Helm, Spotify Rejoins the Spotlight 

Check Point Research’s latest Brand Phishing report reveals that in the second quarter of 2025, cybercriminals continued to impersonate high-trust brands to trick users into revealing credentials or financial data. Microsoft remained the most spoofed brand—used in 25% of phishing attempts—followed by Google (11%), Apple (9%), and Spotify (6%), marking Spotify’s first reappearance in the charts since late 2019. 

Key Insights: 

• Microsoft led phishing campaigns, accounting for a quarter of all spoofed brands. 

• Spotify saw a surprising resurgence in impersonation attempts after a long absence, used in campaigns involving fake credential and payment pages. 

• Booking.com–themed domains surged by over 700 in Q2, many embedding personal user data to deceive targets convincingly. 

• Tech remained the top spoofed sector, with social networks, travel, and retail brands also seeing elevated impersonation activity. 

• Seasonal alignment played a key role: the rise in travel scams coincided with summer holiday planning, amplifying phishing success. 

Further Reading: Check Point Research 

Microsoft OAuth Phishing Campaign: MFA Bypass via App Impersonation 

Proofpoint has exposed a sophisticated phishing campaign where attackers used malicious Microsoft OAuth applications—disguised as trusted brands like Adobe, DocuSign, and SharePoint—to trick users into granting access to their Microsoft 365 accounts. These apps operated within legitimate authorization flows, enabling attackers to bypass multi-factor authentication (MFA) with minimal-risk consent requests. 

Key Insights: 

• The fake OAuth apps mimicked trusted publishers to obtain permissions for profile, email, and openid scopes—enough to capture credentials and session tokens without raising suspicion. 

• Once approved, users were redirected to phishing pages that intercepted login credentials and session tokens using AiTM (attacker-in-the-middle) kits like Tycoon or EvilProxy. 

• Attackers were able to maintain access via stolen tokens even after password resets, remaining linked to accounts until consent was manually revoked. 

• The campaign compromised multiple sectors—including finance, healthcare, and retail—targeting executives and high-privilege users. 

• Standard security controls such as DMARC or domain reputation were largely ineffective since the phishing originated from within Microsoft's system. 

• Microsoft is rolling out updated defaults that require administrative approval for third-party app permissions, aiming to limit similar attacks going forward. 

Further Reading: Proofpoint Threat Insight 

GreyNoise: Early Warning Signals Reveal Emerging Vulnerabilities Before Public Disclosure 

GreyNoise’s latest research, “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities”, demonstrates that spikes in malicious activity—such as scanning or brute force attempts—often occur weeks before a corresponding CVE is officially disclosed. This pattern is most pronounced in edge technologies like VPNs, firewalls, and remote access tools. Of 216 observed spikes since September 2024, 80% were followed by a CVE within six weeks, and 50% within just three weeks. 

Key Insights: 

• Attacker reconnaissance frequently precedes public identification of the vulnerability they are probing. 

• Spikes in exploit activity offer a critical 6-week window for defenders to prepare before official disclosure. 

• This trend is particularly prevalent in enterprise perimeter devices—typical initial access points for adversaries. 

• Relying solely on EPSS or KEV can miss these pre-disclosure threats and delay defensive response. 

Further Reading: GreyNoise Early Warning Signals Report 

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

Camera Off: Akira Deploys Ransomware via Webcam 

Akira, a notorious ransomware group, has demonstrated a novel technique by bypassing Endpoint Detection and Response (EDR) tools through the compromise of unsecured webcams. After facing detection while attempting to deploy ransomware on a Windows server, Akira pivoted to target a vulnerable webcam on the victim's network. This device, running a lightweight Linux OS and lacking EDR, allowed the group to deploy Linux-based ransomware successfully. This incident emphasizes the importance of securing IoT devices and enhancing patch management strategies. 

Key Insights: 

• IoT devices, such as webcams, can be used as pivot points for attackers to bypass traditional security tools like EDR. 

• Akira's adaptability highlights how ransomware groups are evolving and using multiple platforms for attacks. 

• Organizations should prioritize securing all devices, including IoT, and ensuring comprehensive patch management. 

Further Reading: S-RM 

Not Just for Developers: How Product and Security Teams Can Use GitHub Copilot 

GitHub Copilot is transforming not just development teams but also product and security teams. With its AI-powered code generation, it can assist security teams in identifying vulnerabilities faster and help product teams in generating feature specifications or optimizing documentation. Copilot's integration into the workflow allows these teams to accelerate their tasks and focus more on strategy rather than repetitive tasks, improving efficiency and productivity across the board. 

Key Insights: 

• GitHub Copilot isn't just for coders; it’s valuable for security and product teams too. 

• It accelerates vulnerability identification and aids in documentation and feature specification. 

• Teams can leverage AI to improve efficiency and focus on high-impact work. 

Further Reading: GitHub Blog 

Blink and They're In: How Rapid Phishing Attacks Exploit Weaknesses 

Phishing attacks are accelerating, with attackers exploiting weaknesses in systems faster than security teams can respond. In one notable case, attackers gained control of a network in just 48 minutes using social engineering and a flood of spam emails, followed by convincing employees to give remote access. These attacks leverage low-tech tactics, such as using legitimate tools like Microsoft Teams and Quick Assist, to bypass security defenses. 

Key Insights: 

• Attackers are exploiting basic social engineering tactics, such as impersonating IT help desks, to gain control of devices. 

• Rapid response times (48 minutes in this case) highlight the need for automated security measures. 

• Preventative measures include verifying help-desk staff interactions and locking down remote access tools like Quick Assist. 

Further Reading: ReliaQuest 

ACRStealer Infostealer Exploiting Google Docs as C2 

ACRStealer, a new type of infostealer, is taking a unique approach by using Google Docs as an intermediary command-and-control (C2) server. Threat actors hide malicious commands within Google Docs files, leveraging Base64 encoding to keep the communication with the C2 server hidden. The infostealer targets a wide range of sensitive information, including browser data, cryptocurrency wallet files, FTP credentials, and even chat program data. This shift in tactics highlights the evolving nature of cybercrime and the need for robust monitoring and secure data handling practices to detect and prevent such attacks. 

Key Insights: 

• ACRStealer uses Google Docs, telegra.ph, and Steam as intermediary C2 servers, making it harder to detect the malware's activity. 

• The malware targets sensitive data like browser history, cryptocurrency wallet files, and FTP credentials. 

• It continues to evolve by hiding its communication strings within different services to evade detection. 

Further Reading: AhnLab 

SecTopRAT Bundled in Chrome Installer Distributed via Google Ads 

A new phishing attack is leveraging Google Ads to distribute a fake Google Chrome installer bundled with SecTopRAT, a remote access Trojan (RAT) with stealer capabilities. Users searching for the legitimate Google Chrome installer are led to a malicious Google Sites page, where they unknowingly download the malware disguised as Chrome. The attack bypasses Windows Defender by dynamically retrieving and decrypting the malicious payload, allowing attackers to inject the malware into a legitimate process, giving them control of the victim's system. 

Key Insights: 

• The malware is hidden in a fake Chrome installer, which is distributed through Google Ads and Google Sites. 

• Once installed, SecTopRAT is deployed, giving attackers remote access and the ability to steal sensitive data. 

• The attack evades detection by dynamically downloading the malware and using anti-virus evasion techniques. 

Further Reading: Malwarebytes 

Abusing CSS for Evasion and Tracking: A New Threat 

Cybercriminals are increasingly abusing Cascading Style Sheets (CSS) to evade detection and track users. By using techniques like hidden text salting, attackers can insert irrelevant, invisible content into emails to bypass spam filters and email parsers. This method can also be used to track user actions and preferences, even when email clients restrict dynamic content like JavaScript. 

These tactics include setting text to invisible properties, manipulating opacity, and hiding content off-screen. Attackers can exploit this for phishing emails and even to fingerprint users based on their system configurations. 

Key Insights: 

• CSS properties like text-indent and opacity are used to conceal malicious content and bypass security measures. 

• CSS can also be abused for tracking user actions and preferences, allowing for advanced targeting in phishing campaigns. 

• Security teams should educate employees about these new evasion tactics and strengthen email defenses. 

Further Reading: Talos Intelligence 

Remote Monitoring and Management (RMM) Tools: Attackers’ First Choice 

Cybercriminals are increasingly turning to legitimate Remote Monitoring and Management (RMM) tools as their first-stage payloads in email campaigns. These tools, typically used by IT teams for managing multiple systems remotely, are now being exploited to collect data, steal finances, and deploy additional malware, including ransomware. In 2024, there was a marked shift, with RMM tools like ScreenConnect, Fleetdeck, and Atera replacing traditional loaders and botnets. This trend emphasizes the need for organizations to monitor remote management tools carefully and ensure they are not abused by attackers. 

Key Insights: 

• RMM tools are being used to facilitate cyberattacks by granting attackers remote access to systems. 

• The use of RMM tools as a first-stage payload is increasing, replacing older attack methods. 

• Organizations must secure their RMM tools and ensure they are used appropriately. 

Further Reading: Proofpoint Blog 

ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims 

The ClickFix technique has gained significant traction among cybercriminals due to its ability to manipulate users into executing malicious actions. By using a clever mix of human psychology and obfuscation, attackers deploy this technique to bypass security systems and install malware. The attack typically involves fake CAPTCHA-like elements, tricking victims into clicking on links or downloading malicious files. This technique has become increasingly popular due to its effectiveness in evading traditional detection methods. 

Key Insights: 

• ClickFix uses obfuscation to bypass security measures and execute malicious actions. 

• Attackers exploit human psychology to trick users into performing actions that compromise security. 

• Organizations should educate employees on recognizing manipulative tactics like ClickFix and improve multi-layered defenses. 

Further Reading: Group-IB Blog 

ESET Discovers Zero-Day Exploit in Windows Kernel (CVE-2025-24983) 

ESET Research has uncovered a zero-day exploit leveraging the CVE-2025-24983 vulnerability in the Windows Kernel, allowing attackers to elevate their privileges. First observed in the wild in March 2023, this exploit was used in conjunction with the PipeMagic backdoor, compromising targeted systems. The discovery highlights the continued use of kernel vulnerabilities in advanced attacks and the importance of regular patching and security monitoring to protect against zero-day threats. 

Key Insights: 

• The exploit targets a critical Windows Kernel vulnerability (CVE-2025-24983), enabling privilege escalation. 

• The attack was first observed in March 2023 and delivered through the PipeMagic backdoor. 

• Organizations must prioritize timely updates and monitoring for signs of this and similar vulnerabilities. 

Further Reading: ESET Research on Bluesky 

From Data to Defense: Insights from ReliaQuest’s 2025 Annual Threat Report 

The 2025 Annual Threat Report from ReliaQuest reveals the rapidly increasing speed of cyberattacks, with attackers moving from initial access to lateral movement in just 48 minutes. AI and automation are now key tools for both attackers and defenders, with organizations needing to integrate AI-driven solutions to keep pace. Phishing remains the primary method of attack, but ransomware tactics are evolving, with more emphasis on data exfiltration rather than encryption. The report offers actionable recommendations, including the need for automated responses, securing remote services, and enhancing logging practices to better track and prevent breaches. 

Key Insights: 

• Attackers now complete lateral movement in 48 minutes, stressing the importance of rapid detection and response. 

• AI and automation are critical to addressing the evolving cyberthreat landscape. 

• Ransomware is shifting towards exfiltration and data extortion. 

Further Reading: ReliaQuest 

Microsoft 365 Targeted in New Phishing, Account Takeover Attacks 

New phishing campaigns are leveraging Microsoft 365's infrastructure to conduct account takeover (ATO) attacks, exploiting tenant misconfigurations and using OAuth redirection. One campaign involves attackers sending phishing emails using Microsoft’s own infrastructure, making detection difficult. These emails, masquerading as legitimate Microsoft notifications, direct victims to call centers, bypassing security controls. Another attack uses OAuth apps pretending to be Adobe and DocuSign to steal credentials and deploy malware. Security teams must be vigilant in securing OAuth applications and scrutinizing internal communications. 

Key Insights: 

• Phishing attacks are exploiting Microsoft 365’s infrastructure for ATO attacks. 

• Attackers use fake support contacts and legitimate-looking emails to trick victims. 

• OAuth applications masquerading as trusted brands are used for stealing credentials and deploying malware. 

Further Reading: SecurityWeek 

AI Agent Attacks: A New Threat with Serious Implications 

AI agents, like OpenAI's Operator, are being used by attackers to automate cyberattacks such as phishing, malware creation, and setting up attack infrastructure. As these AI tools become more accessible, they lower the entry barrier for cybercriminals, increasing the risk of widespread and damaging attacks. 

Key Insights: 

• AI agents automate complex attacks, including phishing and malware creation. 

• These tools reduce the effort required for attacks, making them more accessible to cybercriminals. 

• Organizations should strengthen detection systems and control access to mitigate AI-driven threats. 

Further Reading: Symantec Blog 

JavaGhost’s Persistent Phishing Attacks From the Cloud 

JavaGhost, an active cybercriminal group, has evolved from website defacement to launching sophisticated phishing attacks. They exploit misconfigurations in Amazon Web Services (AWS) environments, leveraging services like Amazon Simple Email Service (SES) to send phishing emails using the infrastructure of compromised organizations. These attacks are particularly insidious, bypassing traditional email protections due to the legitimacy of the sending source. JavaGhost has adapted advanced evasion techniques to obscure their activities, making detection harder for defenders. 

Key Insights: 

• JavaGhost exploits AWS misconfigurations to send phishing emails, bypassing email protections. 

• They use advanced evasion techniques to obscure their presence in cloud logs. 

• Organizations must secure AWS environments, restrict IAM permissions, and implement enhanced detection methods. 

Further Reading: Unit42 Blog 

Buying Browser Extensions: A Dangerous Security Risk 

In a recent investigation, it was revealed how attackers are buying up popular browser extensions and using them for malicious purposes. Extensions that started as helpful tools can easily be sold to the highest bidder, transforming into spyware or data harvesters without the original developers or users being notified. This risky practice allows new owners to repurpose permissions, such as tracking browsing behavior or stealing sensitive data, all without any visible changes to the extension’s appearance. 

Key Insights: 

• Extensions can be sold and repurposed for malicious use, including tracking user data or even stealing login credentials. 

• The process of transferring ownership of extensions is relatively easy, with few security checks from platforms like Google Chrome. 

• Organizations should actively monitor the extensions in use and verify the legitimacy of any new updates or ownership changes to prevent security risks. 

Further Reading: Secure Annex Blog 

Menlo Security Report: 130% Increase in Zero-Hour Phishing Attacks and Nearly 600 Incidents of GenAI Fraud 

Menlo Security's 2025 State of Browser Security Report reveals a 130% increase in zero-hour phishing attacks and highlights nearly 600 incidents of GenAI fraud. Attackers are using generative AI to impersonate legitimate platforms and manipulate users into disclosing personal information. Additionally, cybercriminals are leveraging sophisticated evasion techniques to bypass traditional security systems. With phishing sites growing by nearly 700% since 2020, organizations must prioritize browser security to mitigate these evolving threats. 

Key Insights: 

• A surge in generative AI-based fraud, with cybercriminals impersonating platforms to steal personal data. 

• Nearly 1M new phishing sites are created monthly, reflecting a 700% increase since 2020. 

• Attackers are increasingly exploiting cloud services like AWS and CloudFlare for malicious content hosting. 

Further Reading: Menlo Security 

Is Firebase Phishing a Threat to Your Organization? 

Firebase, a platform commonly used for app development, has been exploited in phishing attacks targeting organizations. Attackers can hijack Firebase’s authentication services to launch phishing campaigns, tricking users into divulging sensitive information. These attacks can be used to steal credentials, and in some cases, manipulate cloud-based services that organizations rely on. With Firebase being a trusted service, users may not immediately recognize these phishing attempts, making it a potent tool for attackers. 

Key Insights: 

• Firebase is being exploited for phishing attacks, often targeting organizations’ authentication systems. 

• Users may unknowingly fall victim due to Firebase’s trusted reputation. 

• Organizations need to be aware of how Firebase can be misused and take proactive measures to secure their systems. 

Further Reading: Check Point Blog 

RansomHub's EDRKillShifter: Unveiling Evolving Ransomware Tactics 

ESET's recent research delves into RansomHub, a prominent ransomware-as-a-service (RaaS) group that emerged in early 2024. The study uncovers RansomHub's connections to established gangs like Play, Medusa, and BianLian, highlighting the dynamic nature of ransomware operations. A focal point of the research is EDRKillShifter, a custom tool developed by RansomHub to disable endpoint detection and response (EDR) systems, enhancing the effectiveness of their attacks. This tool exemplifies the evolving sophistication of ransomware tactics, emphasizing the need for advanced security measures to counteract such threats.  

Key Insights: 

• RansomHub's Emergence: Rapidly rose to prominence in 2024, surpassing established ransomware groups in activity.  

• EDRKillShifter Tool: A custom-developed EDR killer that targets various security solutions to facilitate attacks.  

• Affiliate Connections: Links between RansomHub and other ransomware gangs, suggesting a fluid and interconnected threat landscape.  

Further Reading: ESET Research 

Google Announces Sec-Gemini v1: An Experimental AI Model for Cybersecurity 

Google has introduced Sec-Gemini v1, an experimental AI model designed to enhance cybersecurity operations. By integrating advanced reasoning capabilities with near real-time cybersecurity knowledge, Sec-Gemini v1 aims to improve tasks such as incident root cause analysis, threat analysis, and understanding vulnerability impacts. The model combines Gemini's AI capabilities with data from sources like Google Threat Intelligence (GTI) and the Open Source Vulnerabilities (OSV) database, resulting in superior performance on key cybersecurity benchmarks. Google is offering Sec-Gemini v1 to select organizations, institutions, professionals, and NGOs for research purposes to foster collaboration in advancing AI-driven cybersecurity solutions.  

Key Insights: 

• Sec-Gemini v1 integrates AI with real-time cybersecurity data to enhance security operations.  

• The model outperforms others on benchmarks like CTI-MCQ and CTI-Root Cause Mapping.  

• Google is providing access to Sec-Gemini v1 for research collaborations to advance AI in cybersecurity.  

Further Reading: Google Security Blog 

Off the Beaten Path: Recent Unusual Malware 

Unit 42 researchers have identified several distinctive malware samples exhibiting uncommon characteristics and techniques: 

• C++/CLI IIS Backdoor: A passive backdoor for Internet Information Services (IIS) developed using C++/CLI—a rarely used programming language in malware development. It employs evasive techniques to facilitate unauthorized access. 

• Dixie-Playing Bootkit: This bootkit leverages an unsecured kernel driver to install a GRUB 2 bootloader in a highly unconventional way, showing a creative approach to persistence and system control. 

• ProjectGeass Post-Exploitation Framework: A Windows-based implant of a cross-platform post-exploitation framework written in C++. While not groundbreaking in technique, its atypical structure distinguishes it from mainstream frameworks. 

These samples demonstrate the evolving nature of malware and the increasing variety of methods attackers are using to bypass defenses. 

Further Reading: Unit 42 Blog 

ClickFix: A Deceptive Malware Deployment Technique 

Cybercriminals are employing a tactic known as "ClickFix," which masquerades as a CAPTCHA verification to trick users into executing commands that download malware. This scheme prompts users to press a series of keyboard shortcuts—Windows + R, Ctrl + V, and Enter—that open the Run dialog, paste malicious code, and execute it via mshta.exe, a legitimate Windows utility. This method has been used to deliver various malware families, including XWorm, Lumma Stealer, and AsyncRAT. 

Key Insights: 

• ClickFix attacks exploit user actions to bypass security measures, leading to the installation of credential-stealing malware. 

• Industries such as hospitality and healthcare have been targeted, with attackers impersonating trusted entities like Booking.com. 

• The attack leverages legitimate Windows functionalities (mshta.exe) to execute malicious code, complicating detection efforts. 

Further Reading: Krebs on Security 

PoisonSeed Phishing Campaign Targets Email and CRM Providers 

The PoisonSeed phishing campaign has been identified targeting email and CRM providers, including Mailchimp, Mailgun, and Zoho, to gain unauthorized access to high-value accounts. Attackers create convincing phishing pages that closely resemble legitimate login portals to harvest user credentials. Once access is obtained, they download email lists for use in cryptocurrency-related spam operations. Notably, security expert Troy Hunt fell victim to such an attack, highlighting the sophistication of these phishing attempts. 

Key Insights: 

• PoisonSeed employs highly convincing phishing pages to compromise accounts of email and CRM service providers. 

• Compromised accounts are used to disseminate cryptocurrency-related spam, potentially leading to further financial fraud. 

• Even cybersecurity professionals have been deceived by these tactics, underscoring the need for heightened awareness. 

Further Reading: CSO Online 

98% Increase in Phishing Campaigns Using Russian (.ru) Domains 

Recent analyses have revealed a 98% surge in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) between December 2024 and January 2025. These campaigns primarily aim to harvest user credentials by employing tactics such as QR codes, auto-redirects, and multi-layered attachments to direct victims to phishing websites. Notably, many of these phishing emails have bypassed security products, including Exchange Online Protection and Barracuda Email Security Gateway. 

Key Findings: 

• 1,500 unique .ru domains identified in the campaign. 

• 377 new domains registered with the "bulletproof" registrar R01-RU. 

• Over 13,000 malicious emails reported. 

• 2.2% of observed emails from .ru domains were phishing attempts. 

• Average age of a .ru domain used in these attacks is 7.4 days. 

Industries Targeted: 

• Business and Economy (36.09%) 

• Financial Services (12.44%) 

• News & Media (8.27%) 

• Health and Medicine (5.6%) 

• Government (4.51%) 

Further Reading: KnowBe4 Blog 

Pharmacist Allegedly Used Keyloggers to Spy on Coworkers at Maryland Hospital 

A former pharmacist at the University of Maryland Medical Center is accused of secretly installing keylogging software on nearly 400 hospital computers over a decade. The class-action lawsuit claims he accessed coworkers’ login credentials, personal files, and even activated webcams in patient exam rooms. The hospital is also being sued for allegedly failing to detect or respond to the breach in a timely manner. 

Key Insights: 

• Keyloggers were reportedly used to steal credentials and access private communications. 

• The software was allegedly installed across hundreds of hospital systems without detection. 

• The incident underscores the importance of monitoring for insider threats and unauthorized software. 

Further Reading: The Record 

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

Exploring Q4 2024 Brand Phishing Trends: Microsoft Remains the Top Target as LinkedIn Makes a Comeback 

In the final quarter of 2024, Microsoft continued to be the most targeted brand in phishing campaigns, but LinkedIn made a significant comeback, appearing as a top target for the first time in years. Phishing actors are increasingly leveraging trusted brands to deceive users, with attacks designed to steal sensitive credentials and install malware. Organizations must continue to strengthen defenses against these brand impersonation attacks to protect their users and data. 

Key Insights: 

• Microsoft remains the primary target in brand phishing campaigns, with attackers frequently using its name to trick users into disclosing credentials. 

• LinkedIn’s resurgence as a phishing target highlights the shifting tactics of cybercriminals, who are capitalizing on platforms that users trust. 

• Organizations need to implement strong anti-phishing measures, including employee training and advanced detection tools, to defend against these evolving threats. 

Further Reading: Checkpoint Blog 

Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks 

Cybercriminals are continuing to exploit the legitimate remote monitoring and management (RMM) tool, ScreenConnect, to maintain persistence in cyberattacks. Threat actors are using social engineering to lure victims into installing altered versions of ScreenConnect, which gives them control over victims’ systems. This tool is particularly used to target sensitive data, with specific campaigns focused on Social Security recipients. The attacks are facilitated through bulletproof hosting providers, making it challenging to trace and mitigate these threats. 

Key Insights: 

• ScreenConnect is being used by threat actors to gain persistent access to victims’ systems. 

• Malicious versions of the software are being disguised as legitimate files, such as eStatements from the Social Security Administration. 

• Social engineering tactics are employed to trick users into installing compromised software. 

• Bulletproof hosting providers are being used to shelter malicious activities, making them harder to disrupt. 

Further Reading: Silent Push 

Hackers Spoof Microsoft ADFS Login Pages to Steal Credentials 

Hackers are spoofing Microsoft Active Directory Federation Services (ADFS) login pages to steal user credentials. This attack leverages the trust users have in Microsoft’s secure login page by creating fake versions that closely resemble the original. Once victims enter their credentials, the attackers steal the information for malicious purposes. This highlights the importance of verifying login pages and using multi-factor authentication to protect against such credential theft. 

Key Insights: 

• Hackers are creating fake versions of Microsoft ADFS login pages to capture user credentials. 

• These attacks rely on users trusting the Microsoft login page, making them difficult to detect. 

• Multi-factor authentication (MFA) and vigilant scrutiny of login pages can help prevent successful credential theft. 

Further Reading: BleepingComputer 

Racing the Clock: Outpacing Accelerating Attacks 

In 2024, cyberattack speeds surged, with the average breakout time dropping to just 48 minutes, a 22% reduction from the previous year. Key factors behind this acceleration include more efficient Ransomware-as-a-Service (RaaS) operations, a rise in infostealers, and the use of AI-powered penetration testing tools. As attacks become faster, organizations must enhance their security measures to match the pace of threat actors, leveraging automation and AI to reduce response times and contain attacks before they spread. 

Key Insights: 

• Breakout time—the time from initial access to lateral movement—has decreased to 48 minutes, making it crucial to respond quickly. 

• Infostealers and IABs (Initial Access Brokers) are driving faster breaches by providing quick access to compromised systems. 

• Automation and AI-driven tools are essential for organizations to respond to attacks more efficiently and minimize damage. 

Further Reading: ReliaQuest 

VidSpam: A New Threat Emerges as Bitcoin Scams Evolve from Images to Video 

Bitcoin scams targeting mobile users are evolving with attackers now using video-based spam (VidSpam) to deceive victims. These scammers are sending small video file attachments to lure individuals into fraudulent schemes. The videos often direct recipients to high-pressure WhatsApp groups where personal information or money is extracted. This evolution from image-based scams to video content marks a troubling trend in mobile security. 

Key Insights: 

• Attackers are using small video files (e.g., 14KB .3gp files) to promote Bitcoin scams through multimedia messages. 

• The video attachments encourage victims to join WhatsApp groups where scammers use pressure tactics to steal money or data. 

• As scammers refine their tactics, VidSpam is expected to increase, targeting unsuspecting mobile users. 

Further Reading: Proofpoint 

January 2025’s Most Wanted Malware: FakeUpdates Continues to Dominate 

FakeUpdates malware remains the top threat in January 2025, continuing its dominance in the malware landscape. This malware is primarily distributed through fake software updates that users are tricked into downloading. Once installed, it can enable attackers to take control of the system and steal sensitive information. The persistence of FakeUpdates emphasizes the need for cautious behavior when downloading updates and a heightened focus on secure software practices. 

Key Insights: 

• FakeUpdates continues to lead as one of the most used malware types, delivered through fake update prompts. 

• This malware is often disguised as legitimate updates, compromising systems and exfiltrating data. 

• Users should avoid downloading updates from unverified sources and ensure they only install software from trusted vendors. 

Further Reading: Checkpoint Blog 

Using Genuine Business Domains and Legitimate Services to Harvest Credentials 

Cybercriminals are increasingly using legitimate business domains and services to conduct credential harvesting attacks. By spoofing well-known companies and mimicking their email communications, attackers deceive users into providing their login information. These tactics often involve using business-looking email addresses and phishing links that lead to fake login pages. This trend underscores the need for businesses and consumers to be cautious when interacting with unsolicited messages. 

Key Insights: 

• Phishing attacks are increasingly using trusted business domains and services to trick users into disclosing credentials. 

• Attackers mimic legitimate emails to create fake login pages that steal sensitive information. 

• Users should be cautious of unsolicited messages and verify the authenticity of any login requests by visiting official websites directly. 

Further Reading: KnowBe4 Blog 

Protect Your Data: Russian Spear-Phishing Targets Microsoft 365 Accounts 

A new spear-phishing campaign linked to Russian threat actors is targeting Microsoft 365 users. The attackers use highly customized phishing emails that appear legitimate, aiming to steal login credentials and gain unauthorized access to sensitive information. With Microsoft 365 being a prime target, organizations should enhance their security by training users to recognize phishing attempts and implementing advanced security measures, including multi-factor authentication. 

Key Insights: 

• Russian threat actors are targeting Microsoft 365 accounts using personalized spear-phishing emails. 

• These attacks aim to steal credentials, putting sensitive data at risk. 

• Organizations should deploy multi-factor authentication and conduct regular security awareness training to protect against these threats. 

Further Reading: KnowBe4 Blog 

New Xerox Printer Flaws Could Let Attackers Capture Windows Active Directory Credentials 

Critical vulnerabilities have been found in Xerox VersaLink printers, allowing attackers to potentially capture Windows Active Directory credentials via pass-back attacks. These flaws, affecting firmware versions 57.69.91 and earlier, enable attackers to manipulate printer configurations and redirect authentication credentials. Successful exploitation could allow lateral movement within an organization's network, compromising servers and file systems. Immediate patching and enhanced security measures, such as strong admin passwords and disabling remote access, are advised. 

Key Insights: 

• Xerox VersaLink printers are vulnerable to attacks that can capture Windows Active Directory credentials. 

• Exploiting these vulnerabilities requires physical or remote access to the printer's control interface. 

• Organizations should patch printers immediately, enforce strong passwords, and limit access to vulnerable settings. 

Further Reading: The Hacker News 

ClickFix vs. Traditional Download in New DarkGate Campaign 

A new malvertising campaign has been observed using two different methods to deliver the DarkGate malware: the ClickFix technique and traditional file downloads. The ClickFix method involves a fake CAPTCHA-like page that tricks users into executing a malicious command, while the traditional approach uses a fake software download disguised as a legitimate app. Both methods ultimately deliver the DarkGate malware, highlighting the adaptability of threat actors in refining delivery techniques. 

Key Insights: 

• The ClickFix method tricks users into running malicious code by mimicking a CAPTCHA process. 

• The traditional download method uses fake installers to distribute malware. 

• Both methods successfully deliver DarkGate, with the ClickFix technique possibly yielding higher success rates. 

Further Reading: Malwarebytes 

Russian Phishing Campaigns Exploit Signal's Device-Linking Feature 

Russian phishing campaigns are exploiting the device-linking feature of the Signal messaging app to compromise user accounts. Attackers use malicious QR codes to trick targets into linking their Signal account to an attacker-controlled device, allowing them to monitor private conversations without fully compromising the target's device. This method has been observed in both large-scale campaigns and targeted attacks, especially against military personnel and high-value targets. 

Key Insights: 

• Attackers use malicious QR codes to link Signal accounts to their devices, enabling undetected access to encrypted communications. 

• These phishing techniques often involve impersonating legitimate resources, such as group invitations or app instructions. 

• Signal users are advised to update the app, check linked devices regularly, and enable two-factor authentication for added protection. 

Further Reading: BleepingComputer 

Phishing Attack Hides JavaScript Using Invisible Unicode Trick 

A new phishing attack technique is using invisible Unicode characters to hide malicious JavaScript. This approach involves obfuscating binary values within JavaScript payloads by replacing them with invisible Hangul characters, making the script appear empty. When executed, a proxy retrieves and reconstructs the original code. The attack is particularly difficult to detect, as it uses anti-debugging techniques and avoids triggering security scanners by exploiting whitespace. The campaign targets affiliates of a political action committee, employing highly personalized tactics. 

Key Insights: 

• The phishing attack uses invisible Unicode characters to obfuscate JavaScript payloads, making detection more challenging. 

• Anti-debugging techniques are employed to avoid analysis and redirect attackers if they detect delays in execution. 

• The attack is highly personalized and can evade security scanners by using empty spaces and encoding methods. 

Further Reading: BleepingComputer 

New Facebook Copyright Infringement Phishing Campaign 

A new phishing campaign has been detected targeting Facebook users with fake copyright infringement notices. The attackers use deceptive emails that appear to come from Facebook, claiming that users have violated copyright laws. The emails contain links to fake Facebook pages that prompt users to enter personal information, including passwords. This campaign highlights the ongoing threat of phishing attacks that impersonate trusted platforms like Facebook. 

Key Insights: 

• The phishing emails mimic Facebook's notifications about copyright violations to trick users into sharing sensitive data. 

• Victims are directed to fake pages designed to capture their credentials. 

• Users should be cautious about unsolicited emails and verify the authenticity of any official communications by visiting Facebook directly. 

Further Reading: Check Point Blog 

University Site Cloned to Evade Ad Detection, Distributes Fake Cisco Installer 

A recent malicious campaign involved cloning a German university website to evade ad detection, distributing a fake Cisco AnyConnect installer. The attackers leveraged a Google ad to direct users to a fraudulent site designed to mimic a legitimate university page, with the goal of deploying the NetSupport RAT. The malware, disguised as a Cisco update, was signed with a valid certificate and allowed attackers to remotely access infected systems. 

Key Insights: 

• Attackers cloned a university website to evade detection, delivering a fake Cisco installer via a Google ad. 

• The malware, NetSupport RAT, was hidden in a digitally signed installer and granted remote access to attackers. 

• Users should exercise caution when downloading software, especially from sponsored ads, and verify the authenticity of the source. 

Further Reading: Malwarebytes 

How Hunting for Vulnerable Drivers Unraveled a Widespread Attack 

An investigation into vulnerable drivers revealed a widespread attack exploiting these weaknesses to gain unauthorized access. Attackers used outdated or unpatched drivers to deploy malware and maintain persistence within compromised systems, bypassing traditional security measures. This emphasizes the need for regular updates and comprehensive vulnerability management to safeguard against such threats. 

Key Insights: 

• Attackers exploited outdated drivers to gain system access and deploy malware. 

• The attack allowed persistent control over systems, evading detection. 

• Regular driver updates and vulnerability assessments are crucial for preventing similar attacks. 

Further Reading: Check Point Blog 

2024 Account Takeover Statistics 

Proofpoint’s latest research highlights the alarming prevalence of account takeover (ATO) attacks, which are now among the most common cyberattack types. These attacks involve threat actors gaining control of legitimate user accounts to execute malicious activities, including data breaches and fraud. The findings underscore the importance of strong authentication and continuous monitoring to prevent unauthorized access and protect sensitive data. 

Key Insights: 

• ATO attacks remain a leading threat, with significant consequences for organizations and users. 

• Gaining access to legitimate accounts allows attackers to bypass security measures and execute more damaging attacks. 

• Organizations should prioritize multi-factor authentication and robust monitoring to mitigate ATO risks. 

Further Reading: Proofpoint 

DeepSeek Lure Used to Spread Malware 

A new DeepSeek campaign uses CAPTCHA-like pages to distribute malware. Attackers use fake CAPTCHA challenges to lure users into executing malicious code, evading detection by appearing harmless. The campaign primarily targets users who are tricked into downloading and running the malware. This attack illustrates how cybercriminals are exploiting popular web features to deliver malicious payloads. 

Key Insights: 

• The malware is delivered through fake CAPTCHA-like pages, making it seem legitimate. 

• Attackers use this method to bypass security filters and trick users into downloading harmful software. 

• Regular security updates and cautious behavior when interacting with unfamiliar websites can help mitigate such threats. 

Further Reading: Zscaler Blog 

Botnet Targets Basic Auth in Microsoft 365 Password Spray Attacks 

A large botnet, consisting of over 130,000 compromised devices, is conducting password-spray attacks against Microsoft 365 accounts. The attackers are using Basic Authentication to evade Multi-Factor Authentication (MFA) protections, exploiting plaintext credentials to access accounts without triggering alerts. This method targets accounts with weak or leaked passwords and bypasses security measures that typically protect interactive sign-ins. Organizations are urged to disable Basic Auth, enforce MFA, and implement Conditional Access Policies (CAP) to protect against these attacks. 

Key Insights: 

• The botnet targets Basic Authentication to bypass MFA and gain unauthorized access. 

• Attackers use stolen credentials to conduct widespread password-spray attacks on Microsoft 365 accounts. 

• Disabling Basic Auth and enabling MFA are critical defenses against this type of attack. 

Further Reading: BleepingComputer 

New Undetectable Batch Script Uses PowerShell and Visual Basic to Install XWorm 

A new undetectable malware campaign uses a highly obfuscated Batch script to deliver the XWorm RAT or AsyncRAT. The script employs PowerShell and Visual Basic Script (VBS) to bypass security tools and download the malware. Once executed, the script establishes persistence and exfiltrates data via Telegram’s API. This campaign marks a significant evolution in fileless attacks, leveraging AI-generated code and cloud-based C2 to evade detection. 

Key Insights: 

• The malware uses a Batch script, PowerShell, and VBS to download XWorm or AsyncRAT. 

• Obfuscation and environmental checks make the attack difficult to detect by security tools. 

• Telegram’s API is used to exfiltrate system data, blending malicious traffic with legitimate communications. 

• AI tools may have assisted in generating the code, increasing sophistication and evasion tactics. 

Further Reading: GBHackers 

Chinese Hackers Target Hospitals by Spoofing Medical Software 

A new phishing campaign has been discovered where Chinese hackers are targeting hospitals by spoofing medical software, including fake updates for health-related applications. The hackers use these fake updates to deliver malware, gaining access to sensitive healthcare data. Hospitals and healthcare organizations are urged to be cautious of unsolicited software updates and to ensure they are obtaining updates from official sources. 

Key Insights: 

• Attackers are spoofing medical software updates to distribute malware in healthcare organizations. 

• The campaign targets sensitive healthcare data, with phishing emails disguised as software updates. 

• Healthcare organizations should verify software updates and ensure they come from trusted sources. 

Further Reading: KnowBe4 Blog 

GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready? 

The 2025 Mass Internet Exploitation Report reveals a dramatic increase in the speed and scale of cyberattacks, with attackers exploiting vulnerabilities faster than security teams can respond. In 2024, automated exploitation of known vulnerabilities was rampant, with legacy flaws from as far back as the 1990s being targeted alongside new threats. The most commonly exploited vulnerabilities were in home routers and IoT devices, which are often overlooked in traditional security strategies. To stay ahead of this rapidly evolving threat, executives must prioritize real-time intelligence and adapt patching and defense strategies to address both old and new vulnerabilities. 

Key Insights: 

• Attackers are automating vulnerability exploitation, surpassing traditional patching strategies. 

• Legacy vulnerabilities are still prime targets, with some dating back decades. 

• Ransomware groups are using mass exploitation to gain access, making real-time threat intelligence a necessity for effective defense. 

Further Reading: GreyNoise 

Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock 

BlackLock, a rapidly rising ransomware-as-a-service (RaaS) operator, has gained prominence for its custom malware and unique data-leak tactics. By Q4 2024, it had become the seventh most active ransomware group, using double extortion to encrypt data and steal sensitive information. BlackLock’s sophisticated leak site and the rapid expansion of its affiliate network via the Russian-language RAMP forum highlight its threat to organizations globally. Executives should prioritize enhancing defense strategies against evolving ransomware threats, including securing third-party access and increasing employee awareness about spear-phishing tactics. 

Key Insights: 

• Custom malware and bespoke ransomware distinguish BlackLock from competitors, making it harder for security tools to detect and defend against. 

• The data-leak site uses unique tricks to pressure victims into paying ransoms before assessing the full scope of the breach. 

• BlackLock’s growing influence on the RAMP forum indicates a well-established network that supports its global ransomware activities. 

Further Reading: ReliaQuest 

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal 

Black Basta and Cactus ransomware groups have expanded their attack methods by incorporating BackConnect malware. This malware creates an outbound connection, which enables attackers to remotely control compromised systems, bypassing security measures designed to block inbound attacks. By integrating BackConnect into their operations, these groups can maintain access to systems even after initial detection, facilitating long-term exploitation. Organizations must strengthen defenses to detect and block this new tactic and limit the potential damage. 

Key Insights: 

• BackConnect malware allows attackers to maintain persistent access through outbound connections. 

• This technique enables ransomware groups to bypass detection and continue exploiting compromised systems. 

• Organizations should improve detection capabilities to identify and block BackConnect traffic. 

Further Reading: Trend Micro 

Scammers Mailing Ransom Letters While Posing as BianLian Ransomware 

A new scam has emerged where fraudsters are mailing fake ransom letters to businesses, posing as the notorious BianLian ransomware group. The letters, claiming to be from BianLian, demand large Bitcoin ransoms, threatening to release sensitive data if payment is not made within 10 days. However, cybersecurity experts quickly identified multiple red flags: inconsistencies in the language, uncharacteristic delivery via physical mail, and no evidence of data breaches. This scheme aims to exploit the fear and reputation of a known ransomware group for financial gain. 

Key Insights: 

• Scammers are impersonating BianLian ransomware to demand Bitcoin payments via physical mail. 

• The letters use fear tactics, mimicking legitimate ransomware practices, but with numerous inconsistencies. 

• Organizations should educate employees on recognizing such scams and ensure cybersecurity defenses are up to date. 

Further Reading: HackRead 

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

ModeLeak Vulnerabilities in Google's Vertex AI Platform 

Palo Alto Networks' Unit 42 team has uncovered two critical vulnerabilities, collectively termed "ModeLeak," within Google's Vertex AI platform. These flaws could enable attackers to escalate privileges and exfiltrate sensitive machine learning (ML) models, including fine-tuned large language model (LLM) adapters. 

Key Insights: 

• Privilege Escalation via Custom Jobs: Attackers can exploit custom job permissions to gain unauthorized access to data services within a project, leading to potential exposure of sensitive information. 

• Model Exfiltration through Malicious Models: By deploying a poisoned model, adversaries can exfiltrate other fine-tuned models in the environment, risking proprietary data and custom optimizations. 

Google has addressed these vulnerabilities by implementing fixes in the Vertex AI platform. Organizations utilizing Vertex AI should review their security protocols to ensure protection against similar threats. 

Further Reading: Unit 42 Blog 

Black Basta Ransomware Adopts Advanced Social Engineering Tactics 

The Black Basta ransomware group has recently enhanced its attack strategies by incorporating sophisticated social engineering techniques, including email bombing, QR code phishing, and the deployment of custom malware payloads. 

Key Developments: 

• Email Bombing: Attackers inundate targets with excessive emails by subscribing their addresses to numerous mailing lists. This tactic overwhelms victims and increases the likelihood of interaction with subsequent malicious communications. 

• Impersonation via Microsoft Teams: Threat actors pose as IT support personnel, contacting victims through Microsoft Teams to establish trust and facilitate the installation of remote access tools. 

• QR Code Phishing: Malicious QR codes are sent to victims, directing them to phishing sites designed to harvest credentials or deploy additional malware. 

• Custom Malware Deployment: The group utilizes bespoke tools such as KNOTWRAP (a memory-only dropper) and KNOTROCK (a .NET-based utility) to execute ransomware payloads stealthily. 

Further Reading: The Hacker News 

North Korean IT Workers Infiltrating Global Companies 

Recent investigations have uncovered that operatives from the Democratic People's Republic of Korea (DPRK) are securing remote IT positions in international companies under false identities. These individuals channel their earnings to fund North Korea's weapons programs, posing significant security and compliance risks to employers. 

Key Insights: 

• Use of False Identities: North Korean IT workers often utilize stolen or fabricated identities to obtain employment, making detection challenging. 

• Revenue Generation for DPRK: Earnings from these positions are funneled back to North Korea, supporting its sanctioned weapons development initiatives. 

• Potential for Insider Threats: Beyond financial implications, these operatives may have access to sensitive company data, increasing the risk of intellectual property theft and cyber espionage. 

Further Reading: Unit 42 Blog 

North Korean IT Workers Linked to Phishing Attacks via Malicious Video Conferencing Apps 

Unit 42 researchers have identified a cluster of North Korean IT operatives, designated as CL-STA-0237, involved in phishing attacks that deploy malware through counterfeit video conferencing applications. Operating primarily from Laos, these individuals have secured positions in various companies, leveraging their roles to further malicious activities. 

Key Insights: 

• Malware Distribution: The group utilizes fraudulent video conferencing platforms to disseminate malware, notably the BeaverTail and InvisibleFerret remote access trojans, compromising systems during supposed job interview processes. 

• Global Reach: By infiltrating organizations worldwide, these operatives support North Korea's illicit endeavors, including its weapons of mass destruction and ballistic missile programs. 

• Evolving Tactics: The shift from merely seeking income to engaging in aggressive malware campaigns indicates a significant escalation in their operational strategies. 

Further Reading: Unit 42 Blog 

Surge in 'ClickFix' Social Engineering Attacks 

Cybersecurity researchers have identified a significant increase in the use of a social engineering tactic known as "ClickFix." This method deceives users into copying and pasting malicious commands into their systems, leading to malware infections. 

Key Developments: 

• Deceptive Error Messages: Attackers present fake error dialogs, prompting users to execute provided commands to resolve non-existent issues. 

• Malware Delivery: By following these instructions, users inadvertently run scripts that download and install malware such as Lumma Stealer and AsyncRAT. 

• Global Impact: Campaigns employing ClickFix techniques have targeted organizations worldwide, with notable incidents involving fake GitHub security notifications and counterfeit software updates. 

Further Reading: Proofpoint Blog 

Malicious Ads Deliver SocGholish Malware to Kaiser Permanente Employees 

A recent cyberattack has targeted Kaiser Permanente employees through malicious advertisements on Google Search, leading to the distribution of SocGholish malware. 

Key Developments: 

• Malicious Advertisements: Threat actors placed deceptive ads mimicking Kaiser Permanente's HR portal to lure employees searching for benefits and payroll information. 

• Compromised Website Redirects: Clicking the fraudulent ad redirected users to a compromised website, bellonasoftware[.]com, which briefly displayed a phishing page before prompting a fake browser update. 

• SocGholish Malware Deployment: The fake browser update led to the download of "Update.js," a malicious script associated with the SocGholish malware campaign, designed to collect system information and potentially allow human operators to execute further malicious actions. 

This incident highlights the evolving tactics of cybercriminals in exploiting trusted platforms like Google Ads to distribute malware. 

Further Reading: Malwarebytes Blog 

DarkGate Malware Leveraging Vishing via Microsoft Teams 

Recent analyses have identified a concerning trend in which cybercriminals are deploying DarkGate malware through vishing (voice phishing) attacks conducted via Microsoft Teams. 

Key Developments: 

• Social Engineering Tactics: Attackers impersonate employees from known client organizations during Microsoft Teams calls, convincing victims to download remote desktop applications like AnyDesk. 

• Malware Deployment: Once remote access is established, DarkGate malware is installed, enabling threat actors to execute malicious commands, gather system information, and maintain persistent access. 

• Operational Impact: Although some attacks have been thwarted before data exfiltration, the initial breach underscores vulnerabilities in user awareness and the potential for significant security incidents. 

Further Reading: Trend Micro Research 

Sophisticated Phishing Campaigns Exploit Trusted Platforms 

Recent analyses have uncovered advanced phishing campaigns targeting employees across multiple industries and jurisdictions. These operations employ sophisticated techniques to bypass Secure Email Gateways (SEGs) and exploit trusted platforms, creating highly convincing schemes to deceive victims and steal their credentials. 

Key Developments: 

• Exploitation of Trusted Platforms: Attackers leverage familiar platforms and services to enhance the credibility of their phishing attempts, making it more challenging for victims to identify fraudulent communications. 

• Bypassing Secure Email Gateways (SEGs): The campaigns utilize advanced methods to evade detection by SEGs, allowing malicious emails to reach employees' inboxes undetected. 

• Wide-Ranging Targets: Over 30 companies across 12 industries and 15 jurisdictions have been affected, indicating a broad and indiscriminate approach by the threat actors. 

Further Reading: Group-IB Blog 

Top Cyber Attacker Techniques (August–October 2024) 

Recent analyses have identified key cyber attacker tactics, techniques, and procedures (TTPs) observed between August 1 and October 31, 2024. 

Key Developments: 

• Phishing Incidents: Phishing accounted for 46% of all customer incidents during this period, indicating a significant rise likely due to high employee turnover and the accessibility of phishing kits. 

• Prevalent Malware: "SocGholish" and "LummaC2" emerged as the most frequently observed malware in customer environments, highlighting their widespread use in recent attacks. 

• Cloud Services Alerts: There was a 20% increase in cloud services alerts, correlating with the rising adoption of cloud accounts and associated security challenges. 

• Ransomware Activity: Despite a slowdown in "LockBit" ransomware activity due to law enforcement actions and a loss of affiliate trust, it remains a key player. Meanwhile, "RansomHub" is rising rapidly due to its attractive ransomware-as-a-service (RaaS) model. The U.S., manufacturing sector, and professional, scientific, and technical services (PSTS) sector are primary targets amidst an overall increase in ransomware attacks. 

• Initial Access Broker (IAB) Activity: IAB activity increased by 16%, heavily targeting U.S.-based organizations, possibly due to perceived financial capabilities stemming from cyber insurance. 

• Insider Threat Content: A 7% rise in insider threat discussions on cybercrime forums was noted, driven by significant financial incentives, underscoring the growing complexity of cybersecurity challenges. 

• Impersonating Domain Alerts: There was a 6% increase in alerts related to impersonating domains, indicating ongoing reliance on simple techniques to capture credentials and data. 

Further Reading: ReliaQuest Blog 

Phishing Attacks Double in 2024 

Recent analyses reveal a significant surge in phishing activities throughout 2024, with overall phishing messages increasing by 202% in the latter half of the year. Notably, credential phishing attacks have escalated by 703% during the same period. 

Key Developments: 

• Prevalence of Zero-Day URLs: Approximately 80% of malicious links identified are zero-day threats—newly created URLs designed to evade traditional detection methods. 

• Diversification of Attack Vectors: While link-based phishing remains predominant, there is a notable increase in text-based threats, such as business email compromise (BEC) and invoice scams, as well as file-based threats employing techniques like HTML smuggling. 

• Expansion Beyond Email: Phishing attacks are increasingly targeting multiple platforms, including SMS, LinkedIn, and Microsoft Teams, indicating a shift towards multichannel approaches. 

Further Reading: Infosecurity Magazine 

Surge in Phishing Attacks via New Top-Level Domains 

Recent analyses reveal a significant increase in phishing attacks, with a 40% rise observed in the year ending August 2024. A substantial portion of this growth is attributed to the exploitation of new generic top-level domains (gTLDs) such as .shop, .top, and .xyz, which are favored by cybercriminals due to their low registration costs and minimal verification requirements. 

Key Developments: 

• Disproportionate Use in Cybercrime: Although new gTLDs constitute only 11% of the market for new domains, they account for approximately 37% of reported cybercrime domains between September 2023 and August 2024. 

• Attraction to Low-Cost Registrations: Registrars offering domain registrations for less than $1, with little to no identity verification, are particularly appealing to spammers and scammers seeking to conduct malicious activities anonymously. 

• ICANN's Expansion Plans: Despite the misuse of these new gTLDs, the Internet Corporation for Assigned Names and Numbers (ICANN) is proceeding with plans to introduce additional gTLDs, potentially broadening the landscape for cybercriminal activities. 

Further Reading: Krebs on Security 

Surge in Suspicious Domain Registrations Exploiting High-Profile Events 

Recent analyses have identified a significant increase in suspicious domain registration campaigns exploiting high-profile events, such as the 2024 Summer Olympics in Paris. 

Key Developments: 

• Event-Driven Domain Registrations: Threat actors register deceptive domains containing event-specific keywords to mimic official websites, aiming to deceive users seeking legitimate information. 

• Exploitation of Public Interest: Cybercriminals leverage global events to attract large audiences, using fraudulent domains to distribute malware, conduct phishing attacks, or sell counterfeit merchandise. 

• Indicators of Malicious Activity: Monitoring domain registrations, DNS traffic, URL patterns, and textual characteristics can help identify and mitigate these threats. 

Further Reading: Unit 42 Blog 

Zloader Malware Adopts DNS Tunneling for Stealthier C2 Communications 

Recent analyses have identified that the Zloader malware, a modular Trojan based on the leaked Zeus source code, has incorporated DNS tunneling into its command-and-control (C2) communication methods. 

Key Developments: 

• DNS Tunneling Implementation: Zloader now employs a custom protocol over DNS, utilizing IPv4 to tunnel encrypted TLS network traffic. This technique enables the malware to conceal its C2 communications within standard DNS queries and responses, making detection more challenging. 

• Enhanced Anti-Analysis Features: The latest version of Zloader includes improved anti-analysis capabilities, such as environment checks and API import resolution algorithms, to evade malware sandboxes and static detection methods. 

• Interactive Shell Capability: Zloader has introduced an interactive shell that supports over a dozen commands, potentially facilitating hands-on keyboard activity by threat actors during attacks. 

Further Reading: Zscaler Blog 

Cybercriminals Exploit Fake CAPTCHAs to Distribute Malware 

Recent analyses have identified a deceptive tactic where cybercriminals use fake CAPTCHA pages to distribute malware, exploiting users' trust in these verification systems. 

Key Developments: 

• Malicious Redirects: Users visiting compromised websites are redirected to fraudulent CAPTCHA pages that closely mimic legitimate services like Google and CloudFlare. 

• Clipboard Hijacking: These fake CAPTCHAs silently copy malicious commands to the user's clipboard via JavaScript, prompting them to execute these commands unknowingly through the Windows Run prompt. 

• Malware Installation: Executing the copied commands leads to the installation of malware, including information stealers and remote-access trojans (RATs), which can extract sensitive data and provide persistent access to compromised systems. 

Further Reading: ReliaQuest Blog 

Threat Actors Exploit LDAP for Network Enumeration 

Recent analyses have identified that both nation-state and cybercriminal threat actors are leveraging the Lightweight Directory Access Protocol (LDAP) to perform network enumeration within Active Directory environments. 

Key Developments: 

• Abuse of LDAP Attributes: Attackers utilize LDAP queries to extract sensitive information, such as user accounts, group memberships, and permissions, facilitating lateral movement and privilege escalation within compromised networks. 

• Use of Enumeration Tools: Tools like BloodHound and its data collector, SharpHound, are commonly employed to map Active Directory structures, identifying potential attack paths and high-value targets. 

• Detection Challenges: Distinguishing between legitimate and malicious LDAP activity is difficult due to the high volume of benign LDAP traffic in typical network environments, complicating efforts to detect and mitigate these attacks. 

Further Reading: Unit 42 Blog 

'Araneida' Web Hacking Service Linked to Turkish IT Firm 

Recent investigations have uncovered that 'Araneida,' a cloud-based web hacking service, is utilizing a cracked version of Acunetix—a commercial web application vulnerability scanner—to facilitate cyberattacks. Notably, this service has been traced back to a Turkish information technology firm. 

Key Developments: 

• Exploitation of Cracked Software: Araneida employs an unauthorized version of Acunetix, enabling users to perform offensive reconnaissance, extract user data, and identify exploitable vulnerabilities on target websites. 

• Proxy Integration for Anonymity: The service incorporates a robust proxy network, allowing scans to originate from a diverse pool of IP addresses, thereby concealing the true source of the activity. 

• Cybercriminal Promotion: Advertised on multiple cybercrime forums and boasting a Telegram channel with nearly 500 subscribers, Araneida has been linked to the compromise of over 30,000 websites within six months. One user claimed to have purchased a luxury vehicle using proceeds from payment card data obtained through the service. 

• Connection to Turkish IT Firm: Investigations reveal that the domain araneida[.]co, operational since February 2023, is associated with an individual employed as a senior software developer at Bilitro Yazilim, an IT firm based in Ankara, Turkey. 

Further Reading: Krebs on Security 

LLMs Employed to Obfuscate Malicious JavaScript 

Recent analyses have revealed that adversaries are leveraging large language models (LLMs) to obfuscate malicious JavaScript code, enhancing its ability to evade detection mechanisms. 

Key Developments: 

Automated Code Obfuscation: Attackers utilize LLMs to iteratively transform malicious JavaScript through techniques such as variable renaming, dead code insertion, and whitespace removal, without altering the code's functionality. 

Evasion of Detection Tools: These LLM-generated variants can bypass traditional detection tools, including static analysis models, by producing natural-looking code that is harder to identify as malicious. 

Scalability of Attacks: The use of LLMs enables the creation of numerous unique malware variants at scale, increasing the difficulty for security systems to detect and mitigate these threats effectively. 

Further Reading: Unit 42 Blog 

Mobile Phishing Attacks Employ New Tactics to Evade Security Measures 

Recent analyses have identified a novel social engineering tactic targeting mobile banking users. Attackers are leveraging Progressive Web Apps (PWAs) and WebAPKs to distribute phishing websites disguised as legitimate applications, effectively bypassing traditional security warnings and app store vetting processes. 

Key Insights: 

• Exploitation of PWAs and WebAPKs: Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications. This means they do not exhibit the typical behaviors or characteristics associated with malware, making detection more challenging. 

• Bypassing Security Measures: Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes, is particularly concerning. This allows attackers to distribute malicious content without triggering standard security alerts. 

• Anticipated Increase in Sophistication: It is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them. 

Further Reading: KnowBe4 Blog