This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

DKIM Replay Attacks Abuse Trusted Email for Invoice and Support Scams 

Threat researchers are tracking a rise in DKIM replay attacks, where adversaries reuse legitimate, cryptographically signed emails from trusted services such as Apple and PayPal. Because these messages retain valid authentication, they can bypass email security controls and appear legitimate to recipients, even when used to deliver fraudulent invoices or support scams. 

Key Insights 

• DKIM replay attacks involve capturing a genuine, signed email and redistributing it without breaking authentication checks. 

• Since DKIM and DMARC validation still passes, many email defenses treat the replayed message as trusted. 

• Attackers commonly abuse invoice or notification workflows that allow user-controlled fields to inject scam content. 

• Messages often include urgent payment requests or fake support numbers designed to trigger rapid victim response. 

• DKIM verifies message integrity but does not restrict message reuse, making replay a persistent risk. 

Further Reading: Kaseya 

CrashFix: New ClickFix Variant Deploys Python Remote Access Trojan 

Threat researchers have identified a new evolution of the ClickFix social engineering campaign known as CrashFix. This variant intentionally crashes a victim’s browser and presents a deceptive recovery prompt that convinces users to manually execute commands on their own systems. The interaction ultimately leads to the installation of a Python-based remote access trojan, giving attackers persistent access to compromised devices. 

Key Insights 

• CrashFix commonly begins with users being prompted to install a malicious browser extension disguised as a legitimate utility, such as an ad blocker. 

• The extension later forces the browser into a crash state, creating urgency and the illusion of a technical failure. 

• Victims are shown fake troubleshooting instructions that direct them to run system commands, unknowingly initiating the infection chain. 

• The attack leverages built-in Windows tools and scripting to deploy a Python-based remote access trojan that enables surveillance and long-term access. 

• The campaign appears designed to prioritize enterprise environments, including systems connected to corporate domains. 

Further Reading: Microsoft Security Blog 

LTX Stealer: Node.js–Based Credential Theft Malware 

Researchers have analyzed LTX Stealer, a credential-stealing malware built on a Node.js architecture that abuses legitimate installer frameworks to mask malicious activity. The malware embeds its own runtime and uses obfuscation techniques to complicate analysis while quietly collecting sensitive data from infected systems. Stolen information is staged and exfiltrated using cloud-based infrastructure, helping the activity blend into normal network traffic. 

Key Insights 

• LTX Stealer is delivered via deceptive installers that appear legitimate, allowing it to bypass basic security checks. 

• The malware embeds a full Node.js runtime and compiles JavaScript logic into bytecode to hinder reverse engineering. 

• It targets browser-stored credentials, cookies, session tokens, and cryptocurrency-related artifacts. 

• Cloud services are used for command-and-control and data handling, increasing operational resilience. 

• Indicators suggest the stealer is offered in a service-based model, lowering the barrier to entry for threat actors. 

Further Reading: CYFIRMA 

SaaS Abuse at Scale: Phone-Based Scam Campaign Leveraging Trusted Platforms 

Threat researchers have identified a large-scale scam campaign in which attackers abuse legitimate SaaS platform features to deliver phone-based fraud lures. Rather than relying on malicious links or spoofed domains, the campaign misuses native notification and messaging workflows from trusted services, causing emails to appear authentic and pass standard security checks. Victims are directed to call attacker-controlled phone numbers, shifting the final stage of the scam to voice-based social engineering. 

Key Insights 

• Attackers exploit built-in notification systems within SaaS platforms to generate messages that inherit trust from legitimate services. 

• The campaign operated at significant scale, impacting tens of thousands of organizations worldwide. 

• Emails frequently avoid malicious links and instead instruct recipients to call fake support phone numbers. 

• Multiple abuse techniques were observed, including misuse of general SaaS messaging and business invitation workflows. 

• The activity reflects a broader shift toward abusing trusted platforms rather than deploying traditional phishing infrastructure. 

Further Reading: Check Point Research 

Public Sector AI Adoption Trends Highlight Growing Use and Security Gaps 

Recent analysis shows accelerating adoption of artificial intelligence across government, healthcare, and education organizations. While AI tools are increasingly used to improve efficiency and support operations, security controls and governance maturity vary widely across sectors. This uneven oversight increases the risk of sensitive data exposure as AI usage expands. 

Key Insights 

• Healthcare organizations generate the highest volume of AI-related activity, reflecting broad experimentation and operational use. 

• Education environments show rapid growth in AI adoption with comparatively limited blocking or oversight. 

• Government agencies continue to expand AI use, but governance and control maturity differ significantly between organizations. 

• AI tools are increasingly used for analytics, summarization, and workflow automation, increasing the amount of sensitive data processed. 

• The same technologies driving productivity gains are also being leveraged by threat actors to streamline and scale malicious activity. 

Further Reading: Zscaler 

Marco Stealer: Node.js–Based Information Stealer Targeting Browsers and Wallets 

Researchers have analyzed Marco Stealer, an information-stealing malware built on a Node.js framework and designed to quietly harvest sensitive data from compromised Windows systems. The malware uses layered obfuscation and anti-analysis techniques to evade detection while collecting credentials, cryptocurrency assets, and system metadata before exfiltrating the data to attacker-controlled infrastructure. 

Key Insights 

• Marco Stealer targets browser-stored credentials, cookies, session tokens, and cryptocurrency wallet data. 

• The malware embeds its own runtime and employs obfuscation and process-disruption techniques to evade security tools. 

• Stolen data is encrypted prior to exfiltration, helping the activity blend into normal network traffic. 

• Additional components are dropped to extract browser encryption keys and access local data stores. 

• System profiling is used to collect host details such as hardware identifiers, security software, and environment metadata. 

Further Reading: Zscaler 

Guloader Obfuscation Techniques: How Malware Hides and Runs 

Security researchers have published a detailed technical breakdown of Guloader, a widely abused malware loader used to deliver a variety of follow-on threats. Rather than being a single piece of malware, Guloader is a framework that implements multiple evasion and obfuscation methods to hide its payloads and complicate analysis. The techniques include heavy use of encrypted blobs, staged downloads, and custom packing schemes that make it difficult for defenders to detect or reverse engineer the underlying malicious code. This analysis highlights how modern loaders blend encryption and dynamic execution to stay ahead of static detection tools. 

Key Insights 

• Guloader uses layered encryption and packing to hide its true intent at each stage of execution. 

• The loader often employs staged retrieval of payloads to avoid including malicious code directly in its initial files. 

• Encrypted components are decrypted only at runtime, limiting the value of static signature checks. 

• Custom obfuscation schemes, including junk data and randomized structures, make automated analysis harder. 

• The framework’s modular nature allows it to deliver various malware families under the same loader infrastructure. 

Further Reading: Zscaler on Guloader Obfuscation 

ShinyHunters Target SSO and MFA With Hybrid Vishing and Phishing 

Researchers have outlined how threat actors linked to the ShinyHunters ecosystem are combining voice-based social engineering with real-time credential harvesting to compromise single sign-on (SSO) accounts and bypass multi-factor authentication (MFA). Rather than exploiting technical flaws, the attackers manipulate users directly — convincing them over the phone to log into convincing fake portals that capture credentials and authentication codes as they are entered. 

Key Insights 

• Attackers impersonate internal IT or security teams during phone calls to build credibility and urgency. 

• Victims are guided to realistic SSO login pages designed to harvest usernames, passwords, and MFA codes in real time. 

• Threat actors can leverage captured authentication data to enroll their own MFA devices or complete push/SMS challenges during the live interaction. 

• Once SSO access is obtained, attackers pivot across connected SaaS applications using federated identity trust relationships. 

• Because the activity relies on legitimate authentication flows and human manipulation, detection often occurs only after account compromise. 

Further Reading: Abnormal AI 

Scattered Lapsus/ShinyHunters Actors Targeting Credentials and MFA 

Threat researchers examined ongoing activity by groups associated with the Scattered Lapsus and ShinyHunters ecosystem, noting a continued focus on credential theft, multi-factor authentication bypass, and social engineering. These actors are adapting their methods — often mixing phishing and voice-based tactics — to capture login information and session tokens from users, particularly where traditional defenses rely more on end-user interaction than resistant authentication controls. Their operations underscore how human-centric attack paths remain productive for obtaining initial access and driving follow-on compromise. 

Key Insights 

• Scattered Lapsus/ShinyHunters–linked actors continue to prioritize credential harvesting and MFA capture instead of exploiting software vulnerabilities. 

• Hybrid tactics, including email phishing combined with voice-based engagement, increase likelihood of success by manipulating victims in real time. 

• Obtained login details and session authentication can be used to bypass standard protections and access a wide range of cloud and enterprise services. 

• Attackers adapt quickly to defensive changes, often modifying phishing content and delivery techniques to avoid static detections. 

• The activity reflects a broader trend of focusing on identity and access abuse as a reliable initial access vector. 

Further Reading: KrebsOnSecurity 

QR Codes Used as an Attack Vector in Phishing and Malware Campaigns 

Threat researchers have documented an increase in malicious use of QR codes by attackers. QR codes — once primarily a convenience tool for quickly linking users to URLs — are now being embedded in phishing campaigns, physical media, and social engineering lures. Because many people instinctively trust QR codes and may not check the underlying link before scanning, attackers can use them to direct victims to sites hosting credential-harvesting pages, malware downloads, or other harmful content. This trend shows how even familiar convenience features can be abused when users aren’t aware of the risks. 

Key Insights 

• QR codes are being inserted into phishing emails, SMS messages, posters, and social media posts to silently redirect users to malicious destinations. 

• Scanning a QR code can open links that lead to credential-harvesting pages that mimic legitimate services, increasing the chance of compromise. 

• QR codes can also deliver links to files or installers, which victims may download unknowingly. 

• Because QR codes obscure the actual URL, they make it harder for users to assess safety before interacting. 

• Awareness of this technique is critical, as attackers blend convenience with malicious intent in everyday workflows. 

Further Reading: Unit 42 

Global Cyber Attacks Up Sharply in January 2026 as Ransomware and AI-Related Risks Grow 

New threat intelligence from Check Point Research shows that cyber attack volumes continued climbing in January 2026, with organizations worldwide experiencing more attacks per week than in the previous month and compared to the same time last year. The rise is linked largely to expanding ransomware activity and growing exposure risks tied to the widespread adoption of generative AI technologies. 

Key Insights 

• The average number of weekly cyber attacks per organization increased compared with both December 2025 and January 2025, continuing an upward trend. 

• Ransomware operations remain a dominant force, driving a significant portion of the overall increase in malicious traffic and compromise attempts. 

• Data-exposure risks linked to AI usage are growing as more organizations integrate generative AI tools without fully mature security governance. 

• The trend reflects broader shifts in attacker behavior, combining automated techniques with social engineering and hybrid attack chains. 

• Continued escalation underscores that cyber threats are not just frequent but also more sophisticated and coordinated across vectors. 

Further Reading: Check Point Blog on Global Cyber Attacks in January 2026 

Muddled Libra Operations Playbook Reveals Blended Trickery for Access and Persistence 

Threat researchers analyzed a campaign tracked as Muddled Libra, finding that this group blends multiple attack techniques — including social engineering, exploitation of trusted communication channels, and identity abuse — to gain initial access and maintain footholds in victim networks. The operations playbook shows how attackers coordinate deceptive lures and follow-on activity to evade simple detection and pivot across connected systems once access is established. 

Key Insights 

• Muddled Libra uses layered social engineering and phishing lures to entice victims into compromising actions. 

• Attack activity often leverages legitimate systems and workflows, making malicious intent harder to spot with basic defenses. 

• Once initial access is achieved, the group applies techniques to persist and escalate access within compromised environments. 

• Identity abuse and session manipulation are central to the group’s ability to move laterally and access multiple services. 

• The blended nature of the playbook underscores the importance of detection methods that correlate behavior across email, identity, and endpoint telemetry. 

Further Reading: Unit 42 – Muddled Libra Operations 

DNS-Based ClickFix Variant Uses nslookup to Stage Malware 

Microsoft has disclosed details of a new variation of the ClickFix social engineering tactic that leverages the Windows nslookup command to fetch and execute malware. In this attack, victims are tricked into running a specially crafted DNS lookup via the Run dialog, which retrieves the next-stage payload from a threat actor-controlled DNS server. This DNS-based staging channel helps the malicious activity blend into normal network traffic and evade many traditional security controls. 

Key Insights 

• The attack begins with social engineering that convinces users to execute a command using the Windows nslookup utility. 

• Instead of downloading malware directly from a web server, the DNS response is used to stage and deliver the next payload. 

• Using DNS as a signaling and staging channel makes the malware delivery harder to detect by tools focused on web traffic patterns. 

• The second-stage payload typically includes an archive containing scripts that perform reconnaissance and drop a remote access trojan. 

• Persistence mechanisms are used so that the malicious payload runs on system startup after compromise. 

Further Reading: The Hacker News 

Notepad Infrastructure Compromise Shows How Legitimate Tools Are Repurposed for Escalation 

Threat researchers have detailed an infrastructure compromise in which attackers leveraged legitimate system tools and applications — including Notepad — within a broader malicious campaign. Instead of using custom malware exclusively, the adversary incorporated common utilities to execute scripted actions, deploy payloads, and maintain persistence, making their activity harder to distinguish from normal operational behavior. This technique demonstrates how even benign tools can be abused in post-compromise stages to evade detection and blend in with legitimate system use. 

Key Insights 

• The compromise involved repurposing trusted applications to execute malicious scripts and support lateral movement within the network. 

• By using built-in tools rather than obvious malware binaries, the attackers reduced the likelihood of triggering traditional defenses. 

• Scripted use of common utilities enabled the deployment of additional payloads without reliance on standalone executables. 

• This pattern of abuse helps the adversary remain under the radar by mimicking legitimate administrative activity. 

• The incident underscores the importance of focusing on behavior and context, not just file signatures, when detecting threats. 

Further Reading: Unit 42 Notepad Infrastructure Compromise 

Chrome Zero-Day Exploit Patched After In-The-Wild Abuse (CVE-2026-2441) 

Google has released an urgent security update for its Chrome browser to address a high-severity zero-day vulnerability that was actively exploited in the wild. The flaw, tracked as CVE-2026-2441, is a use-after-free memory issue in Chrome’s CSS handling. A specially crafted webpage could trigger the vulnerability, potentially allowing remote code execution within the browser’s sandbox. The issue was reported by a security researcher and patched quickly due to confirmed exploitation activity. 

Key Insights 

• CVE-2026-2441 is a use-after-free vulnerability affecting Chrome’s CSS engine. 

• Exploitation can be triggered simply by visiting a malicious website. 

• Successful attacks may allow arbitrary code execution within the browser sandbox. 

• Emergency updates were released for Windows, macOS, and Linux platforms. 

• Technical details are being limited until widespread patch adoption reduces the risk of further abuse. 

Further Reading: The Register 

Huntress Report Reveals How Organized Cybercrime Operates at Scale 

A new 2026 Cyber Threat Report from Huntress lays out how modern cybercriminals have evolved into highly efficient, profit-driven operators — running campaigns that resemble legitimate businesses rather than isolated hacker hits. The analysis draws on telemetry from millions of endpoints and identities and highlights how organized cybercrime groups are abusing trusted tools, stolen credentials, and scaled workflows to compromise people and organizations worldwide. 

Key Takeaways 

• Legitimate tools are being weaponized — Remote monitoring and management (RMM) systems are now a top choice for attackers to deploy malware, steal credentials, and execute commands without using traditional hacking tools. 

• User deception fuels malware delivery — Techniques like ClickFix social engineering accounted for more than half of observed malware loader activity by tricking people into installing threats as part of routine actions. 

• Ransomware groups follow streamlined playbooks — Major ransomware operators are focusing on stealth and data theft, increasing time-to-ransom and making detection harder. 

• Criminal ecosystems are thriving — Stolen credentials are being sold cheaply on underground markets, making initial access easier and boosting identity-based attacks. 

• Mailbox manipulation and OAuth abuse lead to BEC — These identity threats are establishing footholds that set the stage for high-impact business email compromise schemes. 

Further Reading: Huntress 2026 Cyber Threat Report 

Starkiller Phishing Kit: Using Adversary-in-the-Middle (AiTM) to Bypass MFA 

Summary Abnormal Security researchers have identified a sophisticated new Phishing-as-a-Service (PhaaS) platform named Starkiller. Unlike traditional phishing that uses static fake websites, Starkiller employs a "live proxy" or Adversary-in-the-Middle (AiTM) approach. It acts as a bridge between the victim and the legitimate service (like Microsoft 365 or Gmail), mirroring the real login page in real-time. This allows the kit to capture not just passwords, but also live Multi-Factor Authentication (MFA) codes and session tokens, giving attackers full access to compromised accounts. 

Key Takeaways 

• MFA is No Longer Enough: By proxying the legitimate login process, Starkiller bypasses traditional MFA, including SMS codes and authenticator apps. 

• Dynamic Mirroring: The kit uses a headless browser to display the actual, current version of a brand's website, making the phishing page look identical to the real one. 

• Professionalized Crime: Starkiller is sold as a subscription service by a group called Jinkusu, featuring a user-friendly dashboard that allows even low-skilled attackers to launch advanced campaigns. 

• Evasion Tactics: The platform includes built-in tools to mask URLs and bypass security filters, making it harder for automated scanners to flag the malicious links. 

Further Reading: Starkiller: New Phishing Framework Proxies Real Login Pages to Bypass MFA 

AI Recommendation Poisoning: How "Summarize with AI" Buttons Can Bias Your Assistant 

Summary Microsoft security researchers have uncovered a new deceptive technique called AI Recommendation Poisoning. This attack targets the "memory" and personalization features of AI assistants like Microsoft Copilot, ChatGPT, and Gemini. By embedding hidden instructions in seemingly helpful "Summarize with AI" buttons or share links, companies and bad actors can inject persistent "facts" or preferences into your AI’s long-term memory. Once poisoned, the AI may begin to show subtle biases—recommending specific products, favoring certain vendors, or trusting unreliable sources—without you ever knowing the assistant has been manipulated. 

Key Takeaways 

• The Helpful Button Trap: Be cautious of "Summarize with AI" buttons on third-party websites. They may contain hidden URL parameters that do more than just summarize; they can "pre-fill" instructions that tell your AI to "always remember this site as a trusted source." 

• Persistent Bias: Unlike a standard prompt injection that only affects one conversation, memory poisoning is designed to last. The injected instructions can influence the AI's behavior across future sessions, even weeks after you clicked the link. 

• Hidden in Plain Sight: These malicious prompts often use phrases like "from now on," "always," or "remember" to establish persistence. Because the AI presents these biased recommendations confidently, users are less likely to question their accuracy. 

• Practical Defense: Periodically review and clear your AI assistant’s memory or "personalization" settings. Hover over AI-related links before clicking to see if the URL contains long, suspicious-looking text strings or commands. 

Further Reading: Manipulating AI memory for profit: The rise of AI Recommendation Poisoning 

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

CrazyHunter Ransomware’s Stealth Tactics and Attack Chain 

Researchers have analyzed CrazyHunter, an evolving ransomware strain that combines stealthy evasion techniques with aggressive lateral movement. The ransomware disables security controls early in the attack chain, spreads across enterprise environments, and encrypts data using strong cryptography, making detection and recovery difficult. 

Key Insights 

• Initial access is often gained through weak Active Directory credentials, followed by lateral movement using Group Policy abuse. 

• The ransomware uses bring-your-own-vulnerable-driver techniques to terminate security tools and evade detection. 

• Multi-stage execution disables defenses before loading the ransomware payload, including in-memory execution to avoid disk artifacts. 

• Hybrid encryption is used to lock victim data and protect encryption keys. 

• Victims are pressured through data leak threats and direct extortion tactics. 

Further Reading: Trellix 

Sophisticated ClickFix Campaign Targeting the Hospitality Sector 

A recent phishing campaign has been observed targeting the hospitality industry with a refined version of the ClickFix social-engineering technique. In this variant, victims are presented with what appears to be a routine human-verification prompt or CAPTCHA, but the displayed “fix” instructions lead them to execute commands on their systems. Once executed, these commands deploy remote-access malware that gives attackers control over endpoints, enabling credential theft, data exfiltration, or further malicious activity. Because the campaign leverages familiar prompts and trusted branding, users may be more likely to follow the steps without suspecting foul play. 

Key Insights 

• Attackers are tailoring ClickFix lures to the hospitality sector’s workflows and terminology. 

• The campaign uses fake verification prompts that instruct victims to run benign-looking commands. 

• Executing these commands installs remote-access malware that compromises devices. 

• Social engineering remains a powerful vector when paired with familiar user interactions. 

Further Reading: SecurityWeek 

Analyzing PhaltBlyx: Fake BSODs and Trusted Build Tools Used to Construct a Malware Infection 

Researchers have dissected a malware campaign involving PhaltBlyx, a deceptive infection method that combines social engineering with abuse of trusted development tools and fake system prompts. In this technique, victims encounter what appears to be a Blue Screen of Death (BSOD) or other alarming system error. Instead of indicating a real crash, the fake BSOD is used to convince the user to run repair or diagnostic tools — including legitimate build tools — that have been co-opted to execute malicious scripts. Once launched, these components pull additional payloads and establish persistence, often evading traditional security defenses because they’re routed through trusted binaries. 

Key Insights 

• Fake system errors like bogus BSODs are used to create urgency and lower user skepticism. 

• Attackers abuse trusted development/build tools to execute malicious scripts, making detection harder. 

• Once executed, these scripts fetch and deploy additional malware components. 

• Using legitimate tools helps the infection evade security controls that trust known binaries. 

Further Reading: Securonix 

Cyber Criminal Ecosystem Analysis 

Researchers have mapped the modern cyber criminal ecosystem, revealing how threat actors operate with increasing organization and specialization. Instead of lone attackers working in isolation, today’s underground economy functions more like a service industry — with distinct roles and marketplaces for phishing kits, malware, access brokers, and human-based attack services. This division of labor allows even low-skilled attackers to launch sophisticated campaigns by purchasing tools, infrastructure, or privileged access from others. Understanding this ecosystem helps defenders anticipate how capabilities and services evolve and how attacks scale. 

Key Insights 

• The cyber criminal ecosystem now resembles a service economy with specialized roles and offerings. 

• Tool-and-infrastructure marketplaces lower the barrier to entry for new attackers. 

• Access brokers sell privileged access and footholds, enabling rapid exploitation. 

• Services like phishing-as-a-service and malware distribution are commoditized. 

• Human-based services (e.g., social-engineering or insider collaboration) are part of the overall attack chain. 

Further Reading: Push Security 

VoidLink: Cloud-Native Malware Framework Weaponizing Linux Infrastructure  

Researchers have identified VoidLink, a cloud-native malware framework built specifically for Linux environments running in modern cloud infrastructure. Unlike traditional malware adapted for cloud use, VoidLink is designed from the ground up to operate in virtual machines, containers, and orchestration platforms. Its modular architecture allows operators to extend functionality while maintaining stealth, enabling long-term access and post-compromise activity across cloud workloads. 

Key Insights 

• VoidLink is purpose-built for cloud-native Linux environments, including virtualized and containerized infrastructure. 

• A modular plug-in architecture allows operators to tailor capabilities such as reconnaissance, persistence, and lateral movement. 

• The framework can identify cloud environments and adapt its behavior to blend in with legitimate activity. 

• Stealth and anti-analysis techniques are used to reduce detection and support long-term operations. 

• The design suggests a well-resourced threat focused on cloud and infrastructure-level compromise. 

Further Reading: Check Point Research 

ConsentFix Debrief: Browser-Native OAuth Phishing  

The ConsentFix debrief outlines a phishing technique that abuses legitimate OAuth consent flows to compromise accounts without stealing passwords or bypassing MFA. Instead of traditional credential harvesting, attackers trick victims into approving application access through a browser-based workflow, granting access tokens tied to trusted applications. This approach allows attackers to blend malicious activity into normal authentication behavior, making detection more difficult in enterprise identity environments. 

Key Insights 

• ConsentFix abuses legitimate OAuth consent flows rather than harvesting credentials. 

• Attacks operate entirely within the browser, avoiding many endpoint and email-based detections. 

• MFA is ineffective in this scenario because authentication occurs through a valid authorization process. 

• Targeting trusted or first-party applications helps attackers evade default access controls. 

• The technique reflects a shift toward identity-layer abuse rather than traditional phishing kits. 

Further Reading: Push Security 

CrashFix Browser Extension Campaign Delivers ModeloRAT  

Researchers identified a campaign linked to the threat actor KongTuke that uses a malicious browser extension to compromise systems. The extension poses as a legitimate utility, such as an ad blocker, but is designed to intentionally destabilize the browser. Victims are then presented with fake error messages that guide them into executing attacker-controlled commands, ultimately leading to the installation of a remote-access Trojan. 

Key Insights 

• The attack relies on a malicious browser extension disguised as a legitimate tool. 

• The extension deliberately crashes the browser to prompt user interaction. 

• Victims are socially engineered into running commands that install additional malware. 

• Corporate, domain-joined systems are targeted with more advanced payloads. 

• The technique combines social engineering with browser abuse rather than traditional phishing links. 

Further Reading: Huntress 

Microsoft Remains the Most Imitated Brand in Phishing Attacks in Q4 2025 

Check Point Research reports that Microsoft continued to be the most frequently impersonated brand in phishing attacks during Q4 2025. Attackers consistently leverage trusted, widely used brands to increase the likelihood of user interaction and credential compromise, particularly for access to email, cloud services, and productivity platforms. Technology companies remain the most attractive targets due to the value of associated identities and accounts. 

Key Insights 

• Microsoft accounted for the largest share of brand-based phishing attempts in Q4 2025. 

• Technology brands dominate phishing campaigns due to their broad user bases and access value. 

• Other commonly impersonated brands included Google, Amazon, Apple, and Meta. 

• Phishing lures often rely on realistic branding and subtle impersonation techniques to appear legitimate. 

Further Reading: Check Point Research 

Open-Source Python Script Drives Social Media Phishing Campaign 

Threat researchers identified a phishing campaign leveraging social media direct messages to distribute malicious files that ultimately lead to remote access trojan deployment. The activity relies on weaponized archives, DLL sideloading, and a legitimate open-source Python script to execute payloads while blending in with normal software behavior. The campaign highlights how threat actors are expanding beyond email to exploit trust within professional networking platforms. 

Key Insights 

• Social media direct messages are being used as a primary delivery mechanism, allowing attackers to bypass traditional email security controls. 

• The infection chain abuses DLL sideloading with legitimate applications and a portable Python environment to execute malicious activity. 

• Use of an open-source Python script reduces development effort while complicating detection by appearing benign. 

• Post-execution behavior indicates persistence and command-and-control communication consistent with remote access tooling. 

• Targeting suggests a focus on corporate users, where social engineering via trusted platforms increases engagement. 

Further Reading: ReliaQuest 

Payroll Diversion via Help Desk Social Engineering 

Threat researchers analyzed an incident in which attackers used phone-based social engineering to manipulate help desk workflows and redirect employee payroll to attacker-controlled bank accounts. By impersonating employees and exploiting weak identity verification processes, the adversary reset credentials, re-registered multi-factor authentication devices, and modified payroll details without exploiting technical vulnerabilities. The activity demonstrates how human-focused tactics can enable financial fraud while evading traditional security controls. 

Key Insights 

• The attack relied on voice-based impersonation of employees to bypass help desk authentication procedures. 

• Publicly available personal details were used to satisfy challenge-response questions and gain account access. 

• Credential resets and MFA re-enrollment enabled control over payroll, HR, and IT-related systems. 

• Payroll redirection remained undetected until employees reported missing paychecks. 

• The intrusion exposed gaps in identity change monitoring and cross-departmental alerting. 

Further Reading: Unit 42 

AI-Powered HTMLMIX Obfuscation Tool Reshapes Phishing Tactics 

Threat researchers analyzed HTMLMIX, an AI-enabled phishing obfuscation platform actively used to generate large volumes of unique phishing emails. The tool automates HTML code transformation and content variation to undermine signature-based detection, enabling attackers to scale phishing campaigns while maintaining high delivery success. This activity reflects a broader shift toward AI-assisted automation within phishing operations. 

Key Insights 

• HTMLMIX programmatically alters HTML structure to produce thousands of distinct email variants from a single template. 

• Automated obfuscation techniques include layout restructuring, CSS manipulation, and hidden character insertion to evade pattern-based detection. 

• AI-driven content features introduce language variation, preview text changes, and fabricated email threads to increase realism. 

• API-based workflows allow the tool to integrate directly into phishing delivery pipelines for rapid campaign scaling. 

• Short-lived redirect infrastructure is used to mask malicious destinations and improve initial deliverability. 

Further Reading: Abnormal AI 

Fake CAPTCHA Pop-Ups Used to Trick Website Visitors 

A campaign known as ClearFake is using compromised websites to display fake verification pop-ups that look like routine security checks. These prompts guide visitors through simple steps that appear harmless but actually trigger hidden commands on their computers. Because the scam appears on real, trusted websites, it can be difficult for everyday users to recognize what’s happening. 

Key Points 

• Legitimate websites are being altered to display fake verification messages. 

• The pop-ups instruct users to perform basic actions that quietly run harmful commands. 

• Familiar technology and services are used to make the activity seem normal. 

• Once the commands run, additional unwanted software can be installed without clear warning. 

• The use of trusted websites and common prompts increases the likelihood of user interaction. 

Further Reading: Expel 

2026 Threat Forecast: Top Cyberattacks Set to Increase Enterprise Exposure 

Email remains the primary entry point for attackers, and emerging campaigns are increasingly focused on exploiting trust, identity, and routine workflows to bypass defenses. Threat actors are layering social engineering techniques with technical evasion methods to increase success rates and reduce detection, signaling a continued shift toward human-centric attack vectors. 

Key Insights 

• Attackers are refining multi-stage phishing workflows (e.g., QR codes and vendor impersonation) to condition targets and evade security controls. 

• Social engineering remains central, with threat actors embedding themselves in legitimate communication threads to increase credibility. 

• Look-alike domains, branding mimicry, and personalized phishing pages are becoming more common to improve credential theft success. 

• Email continues to be the most reliable initial access vector due to its ubiquity and reliance on human interaction. 

Further Reading: Abnormal AI 

Real-Time Malicious JavaScript Generated Through LLMs 

Threat researchers identified a technique where attackers use large language models to generate malicious JavaScript code in real time inside a victim’s browser. Instead of hosting harmful code on attacker-controlled infrastructure, the webpage dynamically requests code generation during the visit, producing phishing functionality only at execution time. This approach makes the activity harder to detect because the malicious content does not exist until the moment it runs. 

Key Insights 

• Malicious JavaScript is generated dynamically during page visits rather than being stored on a server. 

• Each execution produces unique code, reducing the effectiveness of signature-based detection. 

• Requests to trusted LLM service domains can blend in with normal web traffic. 

• The technique enables phishing pages to be customized in real time based on victim context. 

• Detection becomes more difficult because the malicious logic exists only briefly in the browser. 

Further Reading: Unit 42 

Phishing Messages Masquerade as Collaboration Platform Invites 

A phishing campaign is abusing trusted collaboration platform notifications to deliver scam messages that look like legitimate invitations. By using real platform features, the messages appear routine and familiar, increasing the chances that recipients engage without questioning them. Instead of pushing malicious links, the messages often steer people toward fake support interactions. 

Key Points 

• Legitimate collaboration platform features are being used to send deceptive invitations. 

• Messages are designed to look like normal work notifications, such as billing or subscription alerts. 

• Some scams avoid links entirely and instead prompt users to contact fraudulent support numbers. 

• The volume of messages is high, affecting users across many organizations. 

• Familiar workplace tools are being leveraged to make scams feel routine and trustworthy. 

Further Reading: Check Point 

Kimwolf Botnet Embedded in Corporate and Government Networks 

Threat researchers reported widespread activity tied to the Kimwolf botnet, which has infected millions of internet-connected devices and is now appearing inside corporate and government environments. Once embedded, compromised devices can be used to relay malicious traffic, participate in large-scale denial-of-service activity, and scan internal networks for additional targets. The presence of consumer-grade devices inside enterprise environments is expanding the botnet’s reach beyond its original footprint. 

Key Insights 

• Kimwolf primarily spreads through compromised internet-connected devices, including consumer hardware. 

• Infected systems are used to generate large volumes of malicious traffic and denial-of-service activity. 

• Once inside an organization, compromised devices can scan internal networks for other reachable systems. 

• Residential proxy infrastructure is leveraged to mask command-and-control activity. 

• The botnet’s scale and persistence indicate continued risk despite partial disruption efforts. 

Further Reading: KrebsOnSecurity 

Infostealer Data Cache Exposes 149 Million Credentials 

Threat researchers identified a large, publicly accessible database containing roughly 149 million stolen login credentials. The data was collected by infostealer malware that silently harvests usernames and passwords from infected devices and aggregates them for later use. Because the database was left exposed without protection, the credentials could be accessed and abused for large-scale account takeover, fraud, and follow-on intrusion activity. 

Key Insights 

• The dataset contained approximately 149 million unique username and password combinations. 

• Infostealer malware was the likely source, collecting credentials directly from compromised endpoints. 

• Exposed credentials spanned a wide range of services, including email, financial platforms, and consumer accounts. 

• Some entries were associated with corporate, government, and educational domains, increasing targeting risk. 

• The unsecured database remained accessible long enough to pose a meaningful risk of reuse by other threat actors. 

Further Reading: ExpressVPN 

Multi-Stage AiTM Phishing and BEC Campaign Abusing SharePoint 

Threat researchers uncovered a coordinated campaign that combines adversary-in-the-middle phishing with business email compromise techniques. The activity abuses trusted cloud collaboration services to deliver phishing lures, steal session data, and expand access once an initial account is compromised. By leveraging familiar internal workflows, the attackers were able to spread both inside and outside targeted organizations. 

Key Insights 

• Phishing lures were designed to look like legitimate SharePoint document shares from trusted senders. 

• Stolen credentials and session tokens allowed attackers to bypass standard login protections. 

• Malicious inbox rules were created to hide follow-on activity and maintain access. 

• Compromised accounts were used to send additional phishing messages to internal and external contacts. 

• The campaign demonstrates how trusted collaboration platforms can be misused to scale email compromise. 

Further Reading: Microsoft Security Blog 

Fake CAPTCHA Prompts Used to Trick Users Into Installing Malware 

Researchers have identified a scam that uses fake “CAPTCHA” verification screens to deceive users into installing malicious software. Instead of a simple checkbox, these prompts instruct people to copy and run a command on their own device, which secretly launches malware designed to steal sensitive information. Because the steps look like a normal verification process, many users don’t realize anything is wrong until after their system is compromised. 

Key Points 

• Fake CAPTCHA pages instruct users to manually run commands as part of a supposed verification step. 

• Following these instructions can silently install malware on the device. 

• The malware is designed to collect sensitive data such as saved passwords and browser information. 

• Trusted system tools are abused to make the activity look legitimate. 

• The attack relies heavily on user interaction, making it harder to spot at first glance. 

Further Reading: Blackpoint Cyber 

Scam Emails Abuse a Real Microsoft Address 

Scammers are sending fraudulent emails that appear to come from a legitimate Microsoft notification address, making the messages look trustworthy at first glance. Because these emails originate from a real Microsoft service that some organizations allow by default, they can slip past spam filters and land directly in inboxes. The messages often claim an urgent issue, such as an unexpected charge, and push recipients to take immediate action. 

Key Points 

• Scam messages are being sent from a real Microsoft notification address. 

• The emails are designed to look authentic and bypass some email filters. 

• Messages often create urgency by claiming billing or account problems. 

• Recipients may be directed to call a phone number controlled by scammers. 

• Trusted services can be abused to make scams more convincing. 

Further Reading: Ars Technica 

Detection and Response Are Moving Beyond the Endpoint 

Security teams are reassessing the limits of traditional endpoint detection and response (EDR) tools as more attacks avoid touching the operating system altogether. Modern threat activity increasingly unfolds inside browsers and cloud applications, where users authenticate, access data, and perform daily work. This shift is driving interest in detection and response capabilities that extend beyond endpoints to cover browser-based attack paths. 

Key Insights 

• EDR remains effective for threats that execute directly on a device, such as malware and suspicious process activity. 

• Many modern attacks operate entirely within browsers, targeting credentials, sessions, and cloud access. 

• Browser-based phishing, session hijacking, and token theft may generate little or no endpoint telemetry. 

• Attackers are adapting to where users work, focusing on identity and access rather than device compromise. 

• Security strategies are increasingly combining endpoint visibility with browser-level detection. 

Further Reading: Push Security 

TA584 Continues to Evolve Its Initial Access Playbook 

Threat researchers report that the activity cluster tracked as TA584 continues to adapt how it gains initial access to victim environments. The group remains highly active, cycling through new email lures, delivery techniques, and malware families to keep campaigns effective. This ongoing evolution highlights how initial access operations are becoming more flexible and harder to disrupt through static defenses alone. 

Key Insights 

• TA584 operates as a high-volume initial access actor with frequent changes to campaign themes and infrastructure. 

• Email remains the primary delivery method, with lures tailored to specific regions, brands, or current events. 

• Campaigns increasingly rely on redirection chains and customized landing pages to drive user interaction. 

• The actor rotates malware families, including remote access tools that can enable follow-on activity such as ransomware. 

• Rapid campaign turnover reduces the effectiveness of signature-based and content-only detections. 

Further Reading: Proofpoint 

IClickFix Framework Abuses Compromised WordPress Sites to Deliver Malware 

Threat researchers have identified a large-scale malicious framework known as IClickFix that leverages compromised WordPress websites to distribute malware. Visitors to affected sites may be presented with deceptive verification prompts designed to trick them into manually executing commands on their own systems. This approach combines widespread infrastructure abuse with social engineering to infect victims at scale. 

Key Insights 

• IClickFix injects malicious scripts into compromised WordPress sites to redirect visitors to deceptive prompts. 

• Victims are shown fake CAPTCHA-style challenges that instruct them to copy and run commands. 

• Executing these commands leads to malware installation without exploiting a software vulnerability. 

• The framework has been active for months and has impacted thousands of websites globally. 

• Delivered payloads include tools that enable persistent remote access to infected systems. 

Further Reading: SEKOIA Blog 

Windows Moves Toward Disabling NTLM Authentication by Default 

Microsoft is advancing plans to reduce reliance on the legacy NTLM authentication protocol by disabling it by default in future Windows releases. NTLM has long been used as a fallback mechanism, but its design exposes environments to well-known attack techniques. The shift reflects a broader move toward modern, identity-centric authentication models across Windows ecosystems. 

Key Insights 

• NTLM is considered a legacy protocol with known weaknesses that attackers can exploit. 

• Future Windows versions will favor modern authentication methods such as Kerberos. 

• Microsoft is taking a phased approach to help organizations identify and reduce NTLM usage. 

• New authentication capabilities are being introduced to cover scenarios where NTLM was historically required. 

• NTLM will remain available for legacy compatibility but must be explicitly enabled. 

Further Reading: Microsoft Tech Community 

NSA Releases Initial Zero Trust Implementation Guidelines 

The U.S. National Security Agency has released the first set of guidance in a new series aimed at helping organizations implement zero trust principles in a structured, practical way. These initial materials focus on establishing visibility and understanding of environments before moving into enforcement, providing a foundation for more mature zero trust capabilities over time. 

Key Insights 

• The first releases introduce a primer and a discovery-focused phase to help organizations map assets, data, services, and access patterns. 

• Emphasis is placed on understanding the environment before applying controls or policy enforcement. 

• The guidance is modular, allowing organizations to adopt elements based on their maturity and priorities. 

• Later phases are expected to build on this foundation with more detailed implementation activities. 

• While developed with government use cases in mind, the guidance is applicable to broader enterprise zero trust efforts. 

Further Reading: NSA 

TA584 Continues to Evolve Initial Access Tactics 

Threat researchers report that the activity cluster tracked as TA584 continues to adapt how it gains initial access to victim environments. This actor is highly active, rotating email lures, delivery techniques, and malware families to keep campaigns effective and harder to block. The ongoing evolution highlights how initial access operations are becoming more adaptable and challenging for defenses that rely on static indicators. 

Key Insights 

• TA584 operates as a high-volume initial access actor with frequent changes to campaign themes and infrastructure. 

• Email remains the primary delivery method, with lures tailored to specific regions, brands, or events to increase engagement. 

• Campaigns often use redirection chains and customized landing pages to encourage interaction while bypassing security filters. 

• The group cycles through multiple malware types, including remote access tools that can facilitate follow-on compromise. 

• Rapid campaign turnover reduces the effectiveness of signature-based and content-only detection techniques. 

Further Reading: Proofpoint 

FBI Launches Operation Winter SHIELD to Boost Cyber Resilience 

The FBI has introduced Operation Winter SHIELD, a nationwide initiative focused on strengthening cyber resilience across public and private organizations. Drawing directly from real-world investigations, the effort highlights common weaknesses attackers exploit and outlines practical defensive actions aimed at reducing exposure to both criminal and state-linked cyber activity. 

Key Insights 

• Operation Winter SHIELD distills lessons learned from FBI cyber investigations into a concise set of high-impact actions. 

• The initiative focuses on reducing common attack paths used in ransomware, espionage, and disruptive campaigns. 

• Recommendations span identity protection, system hardening, and improved visibility across IT and operational technology environments. 

• The campaign emphasizes proactive preparation rather than reactive incident response. 

• Winter SHIELD supports broader efforts to improve national cyber resilience through public–private collaboration. 

Further Reading: FBI 

Fake Dropbox Emails Used to Steal Login Details 

Attackers are circulating phishing emails that impersonate Dropbox and attempt to trick recipients into handing over their account credentials. The messages often look like routine business communications and include a PDF attachment. When opened, the document directs the user to a fake Dropbox login page designed to capture usernames and passwords. 

Key Points 

• Phishing emails are crafted to look like legitimate Dropbox notifications or file-sharing messages. 

• PDF attachments are used to make the email appear business-related and trustworthy. 

• Links inside the document lead to counterfeit login pages. 

• Entered credentials are captured by attackers and can be reused to access other accounts. 

• The technique relies on familiar brands and file formats to lower suspicion. 

Further Reading: CybersecurityNews 

ShinyHunters-Linked Attacks Target SaaS Environments 

Threat intelligence analysis highlights how activity associated with the ShinyHunters cybercrime ecosystem is increasingly focused on compromising software-as-a-service environments. Rather than exploiting technical vulnerabilities, these campaigns rely on social engineering and identity abuse to gain access to cloud platforms, allowing attackers to move laterally across connected services and exfiltrate sensitive data for extortion. 

Key Insights 

• ShinyHunters-linked operations rely heavily on phishing and voice-based social engineering to steal SSO credentials and MFA codes. 

• Once identities are compromised, attackers abuse trust relationships to access multiple SaaS applications. 

• These attacks are identity-centric and often leave little traditional endpoint evidence. 

• Stolen credentials and session access enable large-scale data theft without exploiting software flaws. 

• Identity visibility and rapid response are critical to limiting impact once access is gained. 

Further Reading: Google Cloud 

SLH Campaign Blends Vishing With AiTM Phishing for Account Takeover 

Threat researchers analyzed a recent campaign attributed to the group tracked as SLH that combines live phone-based social engineering with adversary-in-the-middle phishing. Attackers initiate contact by posing as internal IT support, then guide victims to a phishing site designed to capture credentials, MFA codes, and active session tokens. With this access, the actors can move quickly across connected cloud services using the victim’s identity. 

Key Insights 

• The campaign starts with phone calls impersonating IT staff to establish trust. 

• Victims are steered to a phishing site that captures credentials and MFA in real time. 

• Stolen session tokens enable immediate access to SSO-protected services. 

• The hybrid vishing-plus-phishing approach increases success and evasion. 

• Identity abuse allows attackers to expand access without deploying malware. 

Further Reading: Push Security