This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

Impact Solutions: The Point-and-Click Toolkit Democratizing Malware Delivery 

A newly observed phishing toolkit—Impact Solutions—provides a user-friendly, point-and-click interface that lets low-skill threat actors generate weaponized attachments (e.g., .lnk shortcuts, HTML smuggling files, malicious SVGs) and staged payloads. The kit emphasizes social-engineering effectiveness (icon spoofing, decoy documents, Cloudflare-style verification prompts) and includes UAC bypasses, sandbox checks, and techniques intended to evade SmartScreen and many antivirus solutions. 

Key Insights 

• Low skill, high impact: The toolkit produces ready-to-send malicious artifacts (shortcut builders, HTML smuggling templates, SVG payloads) that remove the need for malware development expertise. 

• Social-engineering first: Files are crafted to look legitimate (PDF icons, real-looking invoices, faux verification pages) and often present decoy documents while executing payloads in the background. 

• Evasion features: Built-in UAC bypass attempts, anti-VM/sandbox checks, AppData execution, and claims to bypass SmartScreen and common AV detection. 

• ClickFix-style and staged attacks: Some templates instruct users to paste Win+R commands or open local file paths, enabling ClickFix-style execution flows and multi-stage downloads. 

• Defender opportunity: Behavioral and contextual email analysis (rather than signature matching) is more effective at detecting these campaigns, since the artifacts intentionally evade static detection. 

Further Reading: Abnormal AI – Impact Solutions: The Point-and-Click Toolkit Democratizing Malware Delivery 

Massive Surge in Scans Targeting Palo Alto Networks Login Portals 

BleepingComputer has observed a significant spike in reconnaissance activity against Palo Alto Networks devices. Thousands of hosts globally are probing PAN-OS management or login endpoints (ports 443, 7239, 7777) in just a short timeframe. This wave of scanning appears preliminary—likely mapping vulnerable or misconfigured devices for potential follow-on attacks, such as exploitation, credential stuffing, or proxy pivoting. 

Key Insights 

• Scans primarily target authentication portals for PAN-OS and administrative web UIs (e.g. ports 443, 7239, 7777). 

• Most scanning traffic originates from distributed IP pools, indicating broad reconnaissance campaigns rather than focused attacks. 

• Such scanning often precedes attacks like SSRF, zero-day exploits, credential brokering, or lateral pivots through exposed devices. 

• Organizations should monitor unusual traffic to management endpoints and verify that PAN device interfaces are properly firewalled and accessible only to trusted networks. 

Further Reading: Bleeping Computer – Massive Surge in Scans Targeting Palo Alto Networks Login Portals 

ShinyHunters (UNC6040) Launches Corporate Extortion Blitz 

The ShinyHunters group, operating under aliases like Scattered LAPSUS$ Hunters and associated with threat cluster UNC6040, has initiated a broad extortion campaign threatening dozens of Fortune 500 companies. The group claims to have stolen sensitive Salesforce data through voice-phishing, along with terabytes of consulting/project files from Red Hat and token access data from Salesloft. They are demanding ransom under threat of public data release. 

Key Insights 

• Theft method: voice phishing was used to trick organizations into granting access to Salesforce; stolen data includes authentication tokens and customer records. 

• Victim profile: major companies such as Toyota, FedEx, Disney/Hulu, UPS, Red Hat, and others are alleged victims. 

• Extortion tactics: the group has published a “victim shaming” blog demanding ransom, threatening to leak data otherwise; claims to have compromised large volumes of configuration, consulting, and secret infrastructure elements. 

• Malware and targeting: They use malicious message attachments disguised as screensavers (.scr/.news-style), distributed via phishing; payloads include backdoors (e.g. ASYNCRAT) with capabilities like file exfiltration, keylogging, screenshot capture, etc. 

• Legal and law-enforcement response: Some members are already indicted or convicted; companies such as Salesforce publicly refuse to negotiate with ransom demands, emphasizing forensic analysis and regulatory contact. 

Further Reading: Krebs on Security – ShinyHunters Wage Broad Corporate Extortion Spree 

ClickFix Generator: New Automated Toolkit Enables Mass Social Engineering Attacks 

Unit 42 has discovered a first-of-its-kind ClickFix Generator toolkit that enables threat actors to automate the creation of ClickFix-style phishing campaigns at scale. The generator crafts prompt texts, social engineering flows, and malicious payloads, allowing adversaries to produce campaign modules in a matter of minutes instead of hours. Early usage traces suggest the tool is already active in the wild, deployed in multiple targeted phishing campaigns. 

Key Insights 

• Quick campaign assembly: With ClickFix Generator, attackers can build full campaigns (lures, messaging flow, payload delivery) rapidly. 

• Template-based operations: The toolkit comes with prebuilt templates for lures (e.g., “Update Required,” “Verification Needed”) and payload strategies. 

• Operational reuse: Once built, modules can be re-used or tweaked across multiple campaigns to reduce development overhead. 

• Detection challenges: Automated tooling increases the volume and diversity of campaigns, making static signatures less effective; defenders must rely more on flow behavior analytics and anomaly detection. 

Further Reading: Unit 42 – ClickFix Generator: First-of-Its-Kind Automated Toolkit Observed in the Wild 

Employees Sharing Company Secrets with ChatGPT: Rising AI Data-Leak Risk 

New research shows a worrying trend: about 77% of enterprise employees regularly paste sensitive corporate data into generative AI tools like ChatGPT. Even more concerning, around 82% of those interactions come from unmanaged personal accounts, putting oversight, compliance, and data protection at risk. The study also flagged that 40% of files uploaded to these tools contain sensitive info like payment data, and 22% of pasted content includes regulated or proprietary information. 

Key Insights 

• Using personal accounts to access AI tools creates blind spots for corporate IT and security teams. 

• Routine copying and pasting of internal data into AI tools bypasses traditional data loss prevention tools. 

• Sensitive data exposure isn’t limited to large uploads—small text snippets can still cause regulatory or competitive harm. 

• Employee training and strict AI usage policies are essential to protect company data. 

Further Reading: Cyber Security News – “Employees Share Company Secrets on ChatGPT” 

Upcoming Changes to Internet Explorer Mode in Microsoft Edge 

Microsoft is updating how Internet Explorer Mode (IE Mode) works in Edge, with implications for compatibility, policy enforcement, and legacy application support. These changes impact how organizations manage legacy web apps relying on the IE11 engine via Edge’s integrated mode. 

Key Insights 

• IE Mode enables legacy IE11 rendering (Trident/MSHTML engine) within Edge for compatibility with older intranet sites and applications. 

• Only sites explicitly configured (via Enterprise Mode Site List or Group Policy) will load in IE Mode; others default to modern rendering. 

• Upcoming updates may restrict or alter certain IE Mode behaviors—affecting ActiveX, legacy scripting, user agent emulation, or navigation fallback logic. 

• Organizations should audit and catalog legacy Web apps now to ensure a smooth transition before changes take effect. 

Further Reading: Microsoft – Changes to Internet Explorer Mode in Microsoft Edge 

100,000+ IP Botnet Launches Coordinated RDP Attack Wave 

GreyNoise observed a coordinated botnet operation (started Oct 8, 2025) involving over 100,000 unique IPs from 100+ countries targeting U.S. Remote Desktop Protocol (RDP) infrastructure using RD Web Access timing attacks and RDP web-client login enumeration. 

Key Insights 

• Mass scale & coordination: The activity involves over 100,000 IPs that share a similar TCP fingerprint, indicating centralized control. 

• Primary vectors: Operators leveraged RD Web Access timing attacks and RDP Web Client login enumeration to probe and enumerate targets. 

• Geographic distribution: Source IPs originated from 100+ countries, but attacks were concentrated on U.S. RDP infrastructure. 

• High-confidence botnet assessment: GreyNoise attributes this as a single multi-country botnet campaign rather than unrelated scanners. 

Further Reading: GreyNoise – 100,000+ IP Botnet Launches Coordinated RDP Attack Wave 

7-Zip Vulnerabilities: Code Execution, MoTW Bypass & RAR5 Crashes 

Several significant vulnerabilities in 7-Zip (versions prior to 24.07 / 24.09 / 25.00 depending on the issue) have been discovered and/or exploited. These flaws allow attackers to bypass Windows’ “Mark-of-the-Web” protections, execute arbitrary code via crafted archives, or crash systems using malicious RAR5 files. 

Key Insights 

• A critical vulnerability (CVE-2025-0411) lets nested archives bypass MoTW protections, enabling malware delivery without triggering usual warnings. 

• Another high-severity bug in the Zstandard decompression module enables remote code execution in affected versions before 24.07. 

• RAR5 decoder vulnerability (CVE-2025-53816) allows denial-of-service conditions via malicious RAR5 archives in versions before 25.00. 

• Version 25.00 (and 25.01 for some symbolic link flaws) includes fixes; users must update manually since 7-Zip lacks automatic update features. 

Further Reading: CyberNews – 7-Zip Vulnerabilities 

Espionage Exposed: North Korean Remote Worker Network 

KELA’s investigation has uncovered thousands of North Korean operatives using fabricated identities and AI-assisted tools to land remote jobs in design, engineering, IT, and architecture. Their employment is a dual-purpose strategy: generate revenue for the regime and gain access to sensitive data, proprietary designs, or system access from within organizations. 

Key Insights 

• Operatives use AI-generated headshots, edited identification, and falsified backgrounds to pass hiring checks. 

• Target roles span technical and creative fields—beyond just software development. 

• Evidence links some accounts to infostealer logs and developer-level system access. 

• Detection patterns include reused passwords, temporary email domains, and unusually polished portfolios for new accounts. 

Further Reading: KELA – Espionage Exposed: Inside a North Korean Remote Worker Network 

Healthcare Ransomware Roundup: Q1–Q3 2025 

According to Comparitech’s 2025 report, ransomware and data breaches in healthcare have continued their alarming trend. The first three quarters saw more than 350 publicly disclosed attacks, resulting in over 140 million records impacted and ransom demands totaling over $350 million. The report highlights the prevalence of vulnerabilities, misconfigurations, and operational dependencies that make healthcare systems a persistent target. 

Key Insights 

• Healthcare organizations face especially high ransomware pressure, given the value and sensitivity of patient data. 

• Large-scale attacks disproportionately impact smaller entities, which lack mature cyber resilience strategies. 

• Ransom demand sizes continue to escalate—multiple cases exceeded $10 million. 

• Attack vectors remain consistent: phishing, unpatched systems, remote desktop exploits, and misconfigured cloud services. 

Further Reading: Comparitech – Healthcare Ransomware Roundup Q1–Q3 2025 

Tracking ClickFix Infrastructure (AITMFeed / Lab539) 

Security analysts have begun mapping core infrastructure used to support ClickFix campaigns, consolidating domain, redirect, and payload delivery patterns. The reconstruction aids defenders in identifying malicious modules tied to active campaigns. 

Key Insights 

• Infrastructure layering: Redirect chains often pass through multiple affiliate or proxy domains before landing on ClickFix lures. 

• Template reuse: Several ClickFix landing pages share structural and domain-naming patterns—indicating reuse by operators or shared kits. 

• Payload hosting nodes: Final payload domains are typically short-lived or dynamically rotated, complicating static blocklists. 

• Early indicators: Identified domains and redirect paths can serve as hunting indicators to uncover emerging ClickFix campaigns before payload execution. 

Further Reading: AITMFeed – Tracking ClickFix Infrastructure 

Record DDoS Botnet Targets U.S. ISPs (Krebs on Security) 

The Aisuru botnet, powered by hundreds of thousands of infected IoT devices, launched a record-breaking DDoS attack peaking at nearly 30 Tbps—impacting major U.S. ISPs such as AT&T, Comcast, and Verizon. Most compromised devices included routers and cameras running outdated firmware or default credentials. 

Key Insights 

• IoT exploitation: Aisuru spreads by scanning for unsecured consumer devices with weak or factory passwords. 

• Massive impact: Outbound attack traffic from U.S. networks degraded ISP and customer performance. 

• Mirai lineage: Built from the leaked Mirai code, Aisuru now dominates global IoT botnet activity. 

• Shared responsibility: ISPs and users must ensure devices are updated and secured to prevent botnet recruitment. 

Further Reading: Krebs on Security – DDoS Botnet Aisuru Blankets US ISPs in Record DDoS 

Stealthy Phishing Kit Targets Microsoft 365 Users (Barracuda) 

Barracuda researchers identified a new phishing kit, dubbed Whisper 2FA, designed to steal Microsoft 365 credentials and bypass multi-factor authentication. The kit operates in real time, capturing both login and MFA tokens through background scripts that validate credentials with attacker-controlled servers. 

Key Insights 

• Real-time MFA capture: Uses live AJAX loops to exfiltrate credentials and prompt victims until valid MFA tokens are obtained. 

• Anti-analysis techniques: Employs multiple layers of encoding, disables developer tools, and crashes browser inspection to avoid detection. 

• Rapid adoption: Nearly one million attack attempts observed in a month, placing Whisper 2FA among the top three phishing kits globally. 

• Kit evolution: Newer versions add stronger obfuscation and broader MFA method support, signaling active development and threat scalability. 

Further Reading: Barracuda – Threat Spotlight: Stealthy Phishing Kit Targets Microsoft 365 

PhantomVAI Loader Delivers Infostealers in Targeted Attacks 

Researchers at Palo Alto Networks’ Unit 42 have identified a new malware loader named PhantomVAI, which is being used to deliver well-known information stealers such as LummaC2 and Rhadamanthys. The loader uses deceptive Microsoft OneDrive-themed lures and employs advanced evasion tactics to bypass traditional security tools. 

Key Insights 

• PhantomVAI leverages phishing campaigns to distribute malicious payloads disguised as OneDrive documents. 

• The loader uses multilayered obfuscation and anti-analysis techniques to avoid detection. 

• Once executed, it deploys info-stealing malware that exfiltrates sensitive data, including credentials and browser information. 

• Its modular design allows threat actors to easily update and customize the loader for different payloads or delivery methods. 

Further Reading: Unit42 – PhantomVAI Loader Delivers Infostealers 

Non-Web Protocols: The Hidden Attack Surface (Zscaler ThreatLabz) 

Zscaler’s ThreatLabz team reports that attackers are increasingly leveraging non-web protocols—such as DNS, RDP, and SMB—to evade detection and exploit enterprise environments. The findings show that a significant share of modern intrusions now occur outside traditional web traffic channels. 

Key Insights 

• DNS abuse dominates: DNS-based tunneling, dynamic updates, and domain generation algorithms account for nearly 84% of non-web protocol attacks. 

• Brute-force activity surging: RDP represents over 90% of brute-force incidents, while SMB remains a key vector for lateral movement and ransomware propagation. 

• Retail and energy sectors hit hardest: Retail accounted for 62% of observed attacks, followed by energy and manufacturing industries where legacy systems persist. 

• Legacy protocols exploited: Long-trusted protocols like SMBv1 and RDP continue to be weaponized for access, persistence, and data exfiltration. 

Further Reading: Zscaler – Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface 

Scattered LAPSUS$ Hunters Shift Tactics Toward EaaS & Insider Recruitment (Unit 42 / Palo Alto Networks) 

Unit 42 reports that the cybercriminal group Scattered LAPSUS$ Hunters—known for major extortion operations—is evolving its approach. The group appears to be transitioning toward an Extortion-as-a-Service (EaaS) model while recruiting insiders and experimenting with new ransomware capabilities. 

Key Insights 

• Extortion-as-a-Service model: The group is offering affiliates the ability to run extortion campaigns without relying on traditional ransomware encryption. 

• Insider recruitment drive: Members are openly seeking employees within telecom, gaming, SaaS, and hosting companies across several Western countries. 

• Data leak activity: Following a public deadline, the group released data allegedly tied to multiple aviation, energy, and retail organizations. 

• New ransomware development: References to a tool dubbed “SHINYSP1D3R” suggest potential expansion into full ransomware operations. 

• Broader targeting: Beyond major tech platforms, the group’s focus now spans hospitality, retail, and loyalty program data. 

Further Reading: Unit 42 – Scattered LAPSUS$ Hunters Signal Shift in Tactics 

Tykit: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance (ANY.RUN) 

Researchers at ANY.RUN have identified a new phishing kit framework, dubbed Tykit, that targets Microsoft 365 credentials across financial and corporate sectors. The kit demonstrates organized Phishing-as-a-Service (PhaaS) characteristics, allowing widespread deployment and efficient credential harvesting. 

Key Insights 

• Broad targeting: Active since May 2025, Tykit campaigns have primarily targeted finance, construction, IT, and professional services organizations. 

• Layered delivery chain: Attacks begin with an SVG image embedding encoded JavaScript that redirects victims to fake Microsoft 365 login pages. 

• Credential exfiltration: After submission, stolen data is transmitted through encrypted POST requests to attacker-controlled command-and-control endpoints. 

• Evasion and MFA bypass: The kit detects analysis tools, restricts developer console access, and supports methods to bypass two-factor authentication. 

• Commercial reuse: Numerous samples share nearly identical domain patterns and code structures, indicating large-scale kit distribution. 

Further Reading: ANY.RUN – Tykit Technical Analysis 

Microsoft 365 Copilot — Arbitrary Data Exfiltration via Mermaid Diagrams (Adam Logue) 

Adam Logue demonstrated an indirect prompt-injection technique against Microsoft 365 Copilot where a specially crafted Office document caused Copilot to fetch sensitive tenant data (e.g., recent emails), hex-encode it, and embed that encoded data into a generated Mermaid diagram. The diagram contained a clickable “login” artifact whose link pointed to an attacker server with the hex data in the URL; when activated the data was exfiltrated. Microsoft has since patched the issue by removing interactive/dynamic hyperlink behavior from Mermaid diagrams in Copilot. 

Key Insights 

• Indirect prompt injection + rendering chain: The attack chained prompt injection (hidden instructions in document sheets) with Copilot’s ability to call enterprise search tools and then render outputs into Mermaid. 

• Mermaid as an exfil channel: Mermaid diagrams support CSS/hyperlink features that can be abused to place large, encoded payloads (hex strings) into clickable artifacts. 

• Encoded-data transport: Exfiltration relied on Copilot hex-encoding fetched data and embedding it in a URL — simple to decode from server logs once received. 

• Click vs zero-click nuance: Adam’s PoC required a click to transmit the data, but related research (e.g., Cursor IDE) shows remote rendering can enable zero-click variants — increasing risk where renderers auto-fetch remote content. 

• Patch validated: Microsoft removed interactive/dynamic hyperlink behavior in Mermaid renders for Copilot, mitigating the specific vector; defenders should still treat diagram rendering and LLM tool integrations as risky. 

Further Reading: Adam Logue – Microsoft 365 Copilot: Arbitrary Data Exfiltration Via Mermaid Diagrams 

Beyond Credentials: Weaponizing OAuth Applications for Persistent Cloud Access (Proofpoint) 

Proofpoint researchers show how attackers are increasingly abusing OAuth applications to gain resilient, long-lived access inside compromised cloud environments. After an initial account takeover, adversaries can create or authorize internal OAuth apps with broad API scopes — allowing data access and command-and-control that survives password resets and MFA unless the malicious app is explicitly revoked. 

Key Insights 

• Persistence beyond credentials: Malicious OAuth apps retain authorized access even after victims change passwords or enable MFA, creating durable backdoors. 

• Automatable attack flow: Proofpoint developed a proof-of-concept and tooling that demonstrate how attackers can fully automate app creation, permission assignment, and authorization. 

• Internal app abuse: Attackers leverage the ability to register or authorize internal (second-party) applications with custom scopes to read mailboxes, files, and other sensitive cloud resources. 

• Long-lived tokens & stealth: Tokens and app permissions can remain valid for extended periods (months to years) and are often overlooked by standard account-centric detections. 

• Detection gaps: Traditional defenses focused on credentials (password resets, MFA) are insufficient; defenders need app-centric telemetry and regular permission audits. 

Further Reading: Proofpoint – Beyond Credentials: Weaponizing OAuth Applications for Persistent Cloud Access 

Prompt Injection to RCE in AI Agents (Trail of Bits) 

Trail of Bits demonstrates that argument-injection flaws in agent platforms can bypass “human approval” protections and lead to remote code execution (RCE). By exploiting pre-approved system commands whose arguments aren’t properly sanitized or separated, researchers achieved RCE across multiple popular agent implementations and propose design changes—like sandboxing and strict argument handling—to reduce the risk. 

Key Insights 

• Approved-command attack surface: Allowlisting commands (e.g., find, git, rg) while failing to validate or safely separate arguments creates a powerful injection vector. 

• Argument injection practicalities: Attackers can craft arguments that append or alter behavior of pre-approved commands (e.g., via special characters, facet patterns or malformed flags) to escalate to arbitrary execution. 

• Human-approval bypass: Workflows that auto-execute “safe” commands without robust argument checks let adversaries bypass intended human-in-the-loop controls. 

• Cross-platform prevalence: Trail of Bits reproduced the class of vulnerability across three different agent platforms, suggesting the issue is a common design antipattern. 

• Evasion & usability tradeoffs: Naïve blocking of arguments breaks legitimate functionality; secure designs require careful argument modeling or safer alternatives (e.g., dedicated APIs). 

• Mitigations recommended: Use sandboxed execution, strong argument separation/parsing, avoid facade patterns that accept raw argument strings, and log/monitor command invocations for anomalous parameters. 

Further Reading: Trail of Bits – Prompt injection to RCE in AI agents 

Global Smishing Campaign Targets Mobile Users (Unit 42 / Palo Alto Networks) 

A large-scale smishing (SMS phishing) campaign has been identified by Unit 42, targeting mobile users across multiple regions. Attackers are exploiting promotional hooks and limited oversight on mobile endpoints to deliver malicious links and credential-harvesting portals. 

Key Insights 

• Many messages impersonate banks, logistics firms, or retail brands and include URLs leading to credential-stealing sites or malicious apps. 

• The campaign spans numerous countries and uses localized language and brand cues to increase trust and response rates. 

• Because mobile devices often lack the endpoint protections found on desktops, the campaign leverages the low visibility of mobile threats to evade detection. 

• Tactics include use of short-link services, dynamic domains, and rapid rotation of landing pages to defeat static blocklists. 

Further Reading: Unit 42 

Devman’s RaaS Launch: The Affiliate Who Aims to Become the Boss (Analyst1) 

Research by Analyst1 reveals how a ransomware affiliate known as Devman evolved from working under major cybercrime groups to launching his own Ransomware-as-a-Service (RaaS) platform in late 2025. The report highlights his shift from affiliate to operator, his use of the leaked DragonForce code, infrastructure consolidation, and efforts to recruit new affiliates. 

Key Insights 

• Affiliate turned service operator: Devman transitioned from a high-performing affiliate to creating his own RaaS offering. 

• Capital investment signals seriousness: He actively purchased initial access in Western countries and built a dedicated leak site with high ransom demands. 

• Leveraging leaked code & bugs: His ransomware variant reused DragonForce/Conti code, showing both operational maturity and technical flaws. 

• Recruitment & platform launch: The RaaS platform went live in late September 2025, featuring affiliate recruitment messaging and new infrastructure. 

• Branding and self-promotion: Devman’s public persona projects a “gangster-entrepreneur” image, reflecting how ransomware operators blend crime with marketing. 

Further Reading: Analyst1 

Insider Threats Loom While Ransom Payment Rates Plummet (Coveware) 

Coveware’s latest report reveals that despite a sharp decline in ransom payments in Q3 2025, insider-caused incidents are growing in significance. Although organizations are less frequently paying ransoms, internal misuse, negligence, and compromised credentials by insiders are becoming key contributors to successful breaches. 

Key Insights 

• Ransom payment decline: Payment rates have fallen substantially, suggesting organizations are shifting to alternative recovery approaches. 

• Insider risk rise: The proportion of incidents involving insiders—whether malicious, negligent, or compromised—has increased notably. 

• Less money, more tactics: While the ransom amounts may drop, attackers are still achieving impact through stolen credentials, insider access, or supply-chain leverage. 

• Mitigation gap: Many organisations focused on external threat vectors but lack rigorous controls for internal access monitoring, exit protocols, and third-party liaison. 

Further Reading: Coveware – Insider Threats Loom While Ransom Payment Rates Plummet 

Catching Credential Guard Off-Guard (SpecterOps) 

SpecterOps researchers have detailed new techniques that undermine Windows Credential Guard, a key defensive feature meant to isolate and protect user credentials. The findings demonstrate how attackers with elevated privileges can bypass Credential Guard to extract sensitive authentication data, even in systems considered fully protected. 

Key Insights 

• Bypass through privilege misuse: Attackers can exploit accounts with specific service permissions to sidestep Credential Guard’s memory isolation. 

• In-memory data extraction: New tools enable credential dumping directly from protected memory regions, exposing NTLM hashes and LSA secrets. 

• Detection blind spots: Many defenders rely on Credential Guard as a standalone safeguard; this research highlights the need for behavioral detection and anomaly monitoring. 

• Lateral movement risk: Compromised credentials obtained through these methods allow stealthier privilege escalation and movement within the network. 

Further Reading: SpecterOps 

LockBit Returns — and It Already Has Victims (Check Point Research) 

The ransomware group LockBit, previously disrupted in early 2024, has re-emerged under a new variant known as LockBit 5.0 (ChuongDong). Check Point Research confirmed new attacks spanning Windows, Linux, and ESXi systems across multiple regions, signaling a full return of one of the most prolific Ransomware-as-a-Service (RaaS) operations. 

Key Insights 

• Affiliate recruitment resumes: LockBit is again advertising in underground forums, rebuilding its affiliate ecosystem. 

• Expanded platform targeting: The updated variant includes support for Windows, Linux, and ESXi environments. 

• Enhanced capabilities: Faster encryption and new evasion methods improve operational efficiency for attackers. 

• Global victim impact: Confirmed incidents across multiple continents indicate the group’s infrastructure is fully operational again. 

• RaaS resilience: Despite past takedowns, the LockBit model demonstrates the durability of ransomware service ecosystems. 

 Further Reading: Check Point Research 

The YouTube Ghost Network (Unmasked – Check Point Research) 

Researchers at Check Point Research uncovered a large-scale malware-distribution operation on YouTube — dubbed the YouTube Ghost Network — which used compromised and fake channels to post over 3,000 videos offering game cheats and cracked software, but in fact delivering infostealers like Rhadamanthys and Lumma Stealer. Those videos amassed hundreds of thousands of views and were deliberately boosted with fake likes and comments to create trust. The network mapped multiple account-roles (video-uploads, community posts, interaction bots) and showed how malware actors are abusing platform trust and engagement tools to run self-infection traps at scale. 

Key Insights 

• Role-based account structure: The network divided labor across accounts: content uploaders, engagement bots, and link/post sharers — enabling resilience even when channels were banned. 

• High-engagement deception: Some videos had hundreds of thousands of views and positive comment streams, increasing perceived legitimacy. 

• Infostealer distribution via “free” software lure: The campaigns baited users with cracked software or game hacks, directing them to archives hiding infostealers. 

• Massive scale and rapid growth: Over 3,000 malicious videos were identified, with 2025 upload volume tripling from prior years. 

• Platform-trust exploitation: Attackers leveraged YouTube’s social features to amplify reach and bypass traditional detection systems. 

Further Reading: Check Point Research 

Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited (Unit 42 / Palo Alto Networks) 

A critical vulnerability in the Windows Server Update Services (WSUS) role—tracked as CVE-2025-59287—allows unauthenticated remote code execution (RCE) on Windows servers where WSUS is enabled. Researchers observed active exploitation following Microsoft’s emergency patch, making this a high-priority threat for enterprises. 

Key Insights 

• Unauthenticated system-level access: Attackers exploiting the vulnerability can execute arbitrary code as SYSTEM on affected WSUS servers. 

• Wide exposure: Thousands of publicly exposed WSUS instances were detected, broadening the potential attack surface. 

• Rapid post-patch exploitation: Exploitation began shortly after an out-of-band update and the vulnerability was added to the U.S. known-exploited vulnerabilities catalog. 

• Reconnaissance & exfiltration patterns: Observed attack chains include WSUS service processes spawning shells that gather domain data and exfiltrate via webhooks. 

• Preventable risk exposure: WSUS should never be Internet-facing; failing to block default WSUS ports or disable unused roles significantly increases risk. 

Further Reading: Unit 42 

New Phishing Attack Uses Invisible Characters to Evade Filters (Cybersecurity News) 

Security researchers have observed a campaign that embeds invisible Unicode characters (zero-width and similar) into email subjects and URLs to evade keyword-based filters and URL reputation checks. The technique breaks up recognisable words and link patterns so automated scanners miss them while email clients render the content normally for users — increasing click-through risk and lowering detection rates. 

Key Insights 

• Invisible-character obfuscation: Attackers insert zero-width spaces, soft hyphens, and other invisible Unicode characters into subject lines and URLs to defeat pattern-matching and reputation checks. 

• MIME/encoding abuse: Malicious emails use MIME tricks and encoded attachments (SVGs, HTML) to hide payloads and redirect chains from straightforward inspection. 

• SafeLinks & gateway bypasses: The obfuscation can break or bypass URL-rewriting and safe-link protections, causing scanners to misclassify or truncate suspicious links. 

• User-facing normalcy: Message lists may display garbled or incomplete subjects while the opened email shows a readable, convincing lure — increasing the chance a recipient will engage. 

• Hunting signals: Look for unusually high counts of zero-width/unicode characters in subjects/URLs, mismatched subject rendering between list view and message view, and abnormal redirect chains from SVG/HTML attachments. 

Further Reading: Cybersecurity News 

Exploiting Trust in Collaboration: Microsoft Teams Vulnerabilities Uncovered (Check Point Research) 

Check Point Research found multiple vulnerabilities in Microsoft Teams that let attackers manipulate conversations and notifications to impersonate colleagues, alter message content silently, and forge caller identities. The flaws exploit trust built into collaboration features—such as message identifiers, conversation topics, and call initiation fields—allowing attackers to mislead recipients without obvious signs of tampering. 

Key Insights 

• Invisible message edits: Attackers can rewrite previously sent messages without triggering the “Edited” label, undermining the integrity of chat history. 

• Spoofed notifications: Notification fields can be manipulated so alerts appear to originate from trusted executives or colleagues. 

• Display-name manipulation: Conversation topics in private chats can be changed to alter displayed participant names, misleading recipients about who they’re speaking with. 

• Forged caller identity: Call initiation fields can be abused to present arbitrary names during audio/video calls, enabling convincing impersonation. 

• Platform-trust attack surface: Collaboration apps’ built-in trust signals (notifications, display names, edit markers) can be weaponized to bypass user assumptions and social-engineering defenses. 

Further Reading: Check Point Research 

Phishing Campaign Abuses Cloudflare Services (Cyber Security News) 

A new large-scale phishing campaign has been discovered exploiting the infrastructure of Cloudflare Pages and ZenDesk to host malicious login portals, leveraging trusted cloud platforms to evade detection and harvest credentials. Over 600 malicious *.pages.dev domains were involved, using typosquatting of support portals and live chat operators to further trick victims. Cyber Security News 

Key Insights 

• Trusted-platform exploitation: Attackers register domains under *.pages.dev (Cloudflare Pages) and use Zendesk hubs to make pages appear legitimate, thereby defeating reputation-based defenses. 

• Mass-scale credential harvest: More than 600 malicious domains were identified in the campaign, showing rapid registration and deployment of phishing infrastructure. 

• Live-chat assault vector: In some cases, human operators engaged victims via embedded chat interfaces, requesting phone numbers and convincing them to install remote tools under the guise of “support.” 

• Technical advance in delivery: The attackers used Google Site Verification and Microsoft Bing Webmaster tokens to validate fake pages and improve its search legitimacy and SSO poisoning potential. 

• Multi-vector exit stratagem: Beyond credential theft, the campaign steered victims to install legitimate remote-monitoring tools repurposed for malicious access, increasing post-compromise risk. 

Further Reading: Cyber Security News 

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

Targeted Prompt Injection in GitHub Copilot via Issue-Based Backdoors 

An emerging threat model highlights how malicious actors can hijack GitHub’s Copilot Agent via crafted GitHub issues. Attackers submit issues to public repositories with instructions that appear helpful—but contain hidden prompt injections. If a developer assigns Copilot to address the issue, the injected prompt can coerce the AI into adding a backdoor into the code, which may then be approved and merged blindly. 

Key Insights 

• GitHub issues become the attack surface: An innocuous-looking issue carries a hidden instruction that taints the resulting code generated by Copilot. 

• Trusted automation, exploited: The exploit leverages developer reliance on AI-generated contributions, making backdoors stealthy and high-impact. 

• Amplified by scale: As more teams adopt AI-assisted coding, similar prompt injection attacks could spread across the ecosystem. 

• Defensive alert: Manual review and validation of AI-generated changes is essential to prevent these subtle but dangerous backdoors. 

Further Reading: Trail of Bits – Prompt Injection Engineering for Attackers: Exploiting GitHub Copilot 

Stealth Prompt Injection via Image Scaling in AI Systems 

Researchers at Trail of Bits have demonstrated a novel technique for covertly injecting prompts into AI systems via carefully crafted images. By exploiting how platforms like Gemini CLI, Vertex AI Studio, Google Assistant, and others downscale images before processing, attackers embed hidden instructions that are imperceptible to users but fully executed by the model—leading to serious outcomes such as unauthorized data exfiltration. 

Key Insights 

• Invisible threat vector: Images concealed malicious instructions that only appear once scaled down, silently compromising AI agents. 

• Widespread impact: The technique works across multiple AI systems—including both UI and API interfaces—making it a widespread concern. 

• Attack fingerprinting required: Each system's unique downscaling algorithm (nearest neighbor, bilinear, bicubic, etc.) necessitates reverse-engineering to craft effective injections. 

• Defensive best practices: Systems should avoid automatic downscaling and ensure users see exactly what the model processes; prevent tool-triggering content embedded in image data. 

Further Reading: Trail of Bits – Weaponizing Image Scaling Against Production AI Systems 

Phishing via Video Invites Deploying ScreenConnect RMM Tool 

A widespread phishing campaign is abusing trusted workplace tools like Zoom and Microsoft Teams invites to deliver ConnectWise ScreenConnect—a legitimate remote access tool turned into a malware deployment vector. Attackers impersonate real meeting notifications, often using compromised accounts, and craft AI-generated phishing pages to trick users into installing the tool under the guise of joining a meeting. 

Key Insights 

• This tactic subverts user trust by leveraging familiar communication channels to bypass typical phishing filters. 

• The campaign has targeted over 900 organizations globally, spanning education, religious institutions, healthcare, finance, retail, legal, and manufacturing sectors across the U.S., U.K., Canada, and Australia. 

• Attack workflows employ sophisticated delivery methods such as AI-generated landing pages, obfuscated URLs via domain wrapping, and trusted hosting platforms to evade detection. 

• ScreenConnect, once installed, gives attackers administrator-level access, enabling lateral movement, credential harvesting, and further internal phishing. 

• The attack is supported by a growing criminal marketplace offering pre-packaged “ScreenConnect attack kits,” complete with stealth features and persistence capabilities. 

Further Reading: Abnormal AI – ScreenConnect Abuse Phishing Campaign 

HexStrike-AI: AI Orchestration Transforms Zero-Day Exploitation 

Check Point Research reveals HexStrike-AI, a sophisticated AI-driven offensive framework that connects LLMs (like GPT and Claude) to over 150 security tools, orchestrating vulnerability discovery and exploitation via an abstracted control layer. This AI “brain” automates complex cyberattacks, collapsing exploit development timelines from days or weeks to under ten minutes—dramatically shrinking the window for defenders. 

Key Insights 

• Automated offensive orchestration: HexStrike-AI enables AI agents to autonomously plan, execute, and adapt multi-stage attack chains—from scanning to exploit delivery to persistence—in real time. 

• Immediate weaponization: Threat actors began applying it within hours of a Citrix NetScaler vulnerability disclosure (CVE-2025-7775–7776, 8424), achieving unauthenticated remote code execution and deploying webshells. 

• AI-driven resilience and adaptation: With retry logic and dynamic decision-making, the system adapts to failures automatically—heightening effectiveness and lowering the expertise barrier. 

• Defensive paradigm shift required: Static rules and traditional patch cycles are obsolete. To stay ahead, organizations must adopt adaptive detection, AI-enhanced threat intelligence, continuous patch automation, and assume compromise by design. 

Further Reading: Check Point – HexStrike-AI: When LLMs Meet Zero-Day Exploitation 

Talos Q2 2025: Valid Credentials Remain the Cybercriminals’ Favorite Entry Point 

Cisco Talos’ Q2 2025 findings reveal that phishing continues as the top method for initial access—despite a 40% drop from Q1—often executed using compromised internal or trusted partner email accounts. Credential theft remains central, with attackers exploiting both valid authentications and MFA weaknesses. Ransomware remains prevalent, with new activity from Qilin and Medusa variants. Disturbingly, outdated tools like PowerShell v1.0 are still in use, especially in ransomware deployments. Education is now the most targeted sector, and more than 40% of incidents involved some MFA misconfiguration or bypass. 

Key Insights 

• Phishing remained dominant for initial access, powered largely by trusted internal or partner emails. 

• Qilin and Medusa ransomware emerged as new threats, continuing a deepening focus on credential theft. 

• Around 33% of ransomware cases used legacy tools such as PowerShell v1.0, highlighting alarming security gaps. 

• The education sector experienced the highest targeting intensity across industries. 

• More than 40% of cases involved MFA issues—misconfiguration, absence, or bypass—emphasizing the need to validate MFA's effectiveness. 

Further Reading: Cisco Talos – Legitimate Credentials Remain a Prime Target for Cybercriminals 

Stealerium & Phantom Infostealers: Resurgence of Open-Source Malware 

Proofpoint researchers have observed a significant uptick in the use of Stealerium, an open-source infostealer once positioned as educational, now increasingly weaponized in live campaigns. Multiple variants—including Phantom Stealer and Warp Stealer—share substantial code overlap, making detection more challenging. Notably, threat actors such as TA2715 and TA2536 leveraged Stealerium in mid-2025, targeting industries like hospitality, education, and finance with varied delivery methods, including compressed executables and VBS attachments. 

Key Insights 

• Open-source at-scale abuse: Stealerium’s freely available code is providing threat actors a shortcut to build custom, stealthy infostealers. 

• Broad delivery tactics: Campaigns use lures such as “Payment Due,” “Court Summons,” and travel-related themes, delivered via JS, ISO, IMG, and VBS file formats. 

• Extensive and evasive exfiltration options: Capable of stealing browser credentials, credit cards, crypto wallets, chat logs, and exfiltrating via multiple services including SMTP, Discord, and Telegram. 

• Anti-analysis sophistication: Includes sleep timers, GPU and user-blocklists, sandbox detection, and self-destruction when analysis environments are detected. 

Further Reading: Proofpoint – Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers 

“Data Is the New Diamond” – Hackers Intensify Data Heists from SaaS Platforms 

Recent findings by Unit 42 show that cybercriminals are increasingly focusing on the theft of customer and corporate data—not just for resale, but for extortion—especially from platforms like Salesforce. Groups such as UNC6395, Bling Libra, and others are exploiting misconfigurations, social engineering, and weak third-party app controls. Retail and hospitality sectors are under particular pressure, as actors shift away from noisy compromises toward stealthier supply chain attacks and data theft extortion. 

Key Insights 

• The Salesloft Drift supply chain attack has been linked to UNC6395, and is showing deep reconnaissance efforts and new data exfiltration of Salesforce objects like Accounts, Contacts, Cases, and Opportunities. 

• Threat actors are using Telegram channels to boast about stolen data and extortion efforts—some even discussing a new Ransom-as-a-Service (RaaS) tool they say can encrypt at speeds of ~1 GB/s. 

• Social engineering and procedural gaps (rather than zero-day software bugs) are being exploited heavily—particularly via uninstalled connected apps, weak oversight of third-party integrations, and user access controls. 

• Retaliatory moves from defenders include Salesforce limiting end users’ ability to use uninstalled connected applications, raising the cost of attacker access. 

Further Reading: Unit 42 – Data Is the New Diamond: Latest Moves by Hackers and Defenders 

FileFix Campaign Goes Live: Steganography, Obfuscation, and StealC Infostealer 

Acronis Threat Research Unit has uncovered a sophisticated FileFix campaign operating in the wild. Unlike earlier proof-of-concept versions, this one uses advanced techniques including steganography, layered payloads, and global targeting to deliver StealC infostealer. 

Key Insights 

• A FileFix attack that tricks victims via a phishing site posing as Meta support, urging them to view an “incident report.” Victims are prompted to paste what appears to be a file path—but this action triggers a malicious PowerShell command. 

• Steganographic payloads: A JPG image hosts both a second-stage PowerShell script and encrypted executables, downloaded by the victim and extracted for execution—making detection harder. 

• The attack chain is multistage with heavy obfuscation: fragmented PowerShell commands, Base64 encoding, encrypted URLs, stealthy loaders, and sandbox/VM detection. 

• Final payload, StealC, aims at browser credentials, messaging apps, crypto wallets, and cloud service secrets. 

• Global reach with multilingual phishing pages and evolving variants over recent weeks, indicating rapid adaptation and expansion of the attack infrastructure. 

Further Reading: Acronis → FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography 

Four Phishing Lures Deliver RMM Tools (Red Canary & Zscaler) 

Red Canary and Zscaler research identifies campaigns using four primary social-engineering lures—fake browser updates, meeting invites, party invites, and fake government forms—to trick victims into downloading legitimate-looking Remote Monitoring & Management (RMM) installers (ITarian, PDQ, SimpleHelp, Atera, ScreenConnect). Adversaries leverage these tools’ legitimacy to establish stealthy persistence, sideload malicious DLLs, deploy infostealers, and maintain long-term access while evading many automated detections. 

Key Insights 

• Four repeatable lures (browser update, meeting invite, party invite, government form) reliably drive RMM installs. 

• Attackers sometimes chain two RMMs quickly to ensure multiple persistent access routes. 

• Malicious chains use signed or otherwise legitimate installers that sideload trojanized DLLs and launch additional loaders/infostealers. 

• Infection flows often include iframe overlays, device-aware redirects, and JS that fingerprints and tracks victims for campaign optimization. 

• Telegram and similar services are abused for C2 and exfiltration, and infrastructure frequently rotates to avoid static IOCs. 

• Detection opportunities exist (e.g., unusual RmmService.exe child processes, unexpected MSI installs, and suspicious process paths) but require behavioral analytics and threat hunting to catch reliably. 

Further Reading: Red Canary – You’re invited: Four phishing lures in campaigns dropping RMM tools 

AdaptixC2: New Open-Source Post-Exploitation Framework Observed in the Wild 

Unit 42 observed AdaptixC2 — an open-source post-exploitation / adversary-emulation framework — being used in real attacks in mid-2025. The toolkit offers modular C2, multiple transport profiles, plugin/BOF support, and configurable OpSec options, making it simple for operators to customize persistence, tunneling, and data exfiltration. 

Key Insights 

• Versatile post-exploitation features: supports EXE/DLL/service/shellcode agents, file transfer, SOCKS proxying, and beaconing. 

• Modular & evasive design: plugin/extender architecture, BOF support, encrypted embedded configs, and anti-analysis hooks enable tailored evasion. 

• Multiple communications profiles: operators can switch between HTTP, SMB (named pipes), and raw TCP to bypass monitoring. 

• Real-world use: deployed via social-engineering and code-assisted delivery vectors to establish persistent access. 

• Defender advantage: predictable, extractable config blocks (encrypted but parseable) enable reliable indicator extraction for hunting and blocklisting. 

Further Reading: Unit 42 – AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks 

EDR-Freeze: User-Mode Abuse of Windows Error Reporting to Suspend EDR 

A new proof-of-concept called EDR-Freeze demonstrates an attacker can suspend endpoint security processes from user mode by abusing Windows Error Reporting (WER). The technique uses WerFaultSecure and the MiniDumpWriteDump API to trigger a dump operation that suspends a target process’s threads — then suspends the dumper itself so the target never resumes, leaving the security agent in a persistent “coma.” A public tool and PoC have been published and successfully tested against Windows Defender on Windows 11 24H2. 

Key Insights 

• User-mode attack surface: Leverages legitimate WER components (WerFaultSecure + MiniDumpWriteDump) — no vulnerable kernel driver required. 

• Race condition weaponization: The attacker triggers a dump of the security process, then suspends the dumper to prevent resumption, leaving the EDR/AV suspended indefinitely. 

• Proof-of-concept available: A public tool/PoC was released and tested, demonstrating real-world impact on Windows Defender. 

• Stealth & practicality: Because it uses built-in OS components and PPL processes, the technique is stealthy and harder for traditional protections to spot. 

• Detection opportunities: Monitoring for unexpected WER/dump activity targeting security processes or anomalous WerFaultSecure actions can surface misuse. 

• Platform hardening needed: OS vendors could restrict or validate WER invocations for sensitive PIDs, limit allowed parameters, or add stricter controls around WerFaultSecure to close this abuse path. 

Further Reading: Bleeping Computer – New EDR-Freeze tool uses Windows WER to suspend security software 

CISA Issues Emergency Directive After Google Chrome 0-Day Exploited In the Wild 

CISA has issued an Emergency Directive (2025-06) mandating U.S. federal agencies immediately mitigate a critical zero-day vulnerability in Google Chrome (CVE-2025-XXXX). The flaw is actively exploited in the wild via malicious Microsoft Word documents embedding HTML/WSH payloads. When opened, these documents silently launch a loader in the background that abuses Chrome’s internal APIs to fetch and execute remote shellcode. Evidence ties campaign infrastructure to a known China-based threat cluster (UNCX), suggesting espionage motives. 

Key Insights 

• The exploit abuses Chrome internal APIs to download and run shellcode, bypassing typical browser exploit mitigation. 

• Attackers embed payloads in Word files, making delivery via email or documents deceptively trivial. 

• Infrastructure analysis shows overlap with previously known threat actors, indicating this is not a “novel actor.” 

• CISA’s emergency directive underscores that governments consider this a severe threat to national infrastructure. 

• Organizations should prioritize Chrome patching, scanning for artifact indicators (malicious Word macros, shadow loader activity), and monitoring post-exploit shellcode behavior. 

Further Reading: CyberSecurityNews – CISA greenlights emergency directive after Google Chrome 0-day exploits 

AI vs AI: Detecting an AI-Obfuscated Phishing Campaign 

Microsoft Threat Intelligence analyzed a credential-phishing campaign that used AI-generated, heavily obfuscated JavaScript hidden inside an SVG to evade detection. Attackers disguised malicious logic as business-style visuals; the payload reconstructed commands at runtime. Defender disrupted the campaign by correlating behavioral signals, message context, and infrastructure indicators rather than relying on surface content alone. 

Key Insights 

• Attackers used AI to generate obfuscated code embedded in an innocuous file type (SVG) that appeared as business dashboard visuals. 

• Obfuscation relied on decoy elements and reconstructed logic that only executed at runtime. 

• Patterns typical of AI-generated artifacts (e.g., overly verbose identifiers, unnatural structure) can themselves be detection signals. 

• Effective detection required behavioral and infrastructure signals beyond static content inspection. 

Further Reading: Microsoft – AI vs AI: Detecting an AI-obfuscated phishing campaign 

Higher-Ed Account Compromise via Duo MFA Exploited in OTP Interception Scheme 

Abnormal AI reports a recent campaign targeting higher-education institutions where attackers compromised master user email accounts (e.g., Office 365 Global Admins) and used them to control Duo MFA flows. The adversary abused Duo’s “Remembered Device” bypass and session reset features to intercept one-time passcodes (OTPs), effectively taking over accounts without direct credential access. 

Key Insights 

• Attackers first gained access to an administrator-level email account, then leveraged it to reset or manipulate MFA settings. 

• Duo’s “Remembered Device” paths and session recovery logic were abused to bypass OTP challenges. 

• Once access is established, adversaries can escalate privileges, disable security controls, and move laterally across SaaS. 

• This technique underscores critical weaknesses in MFA workflows when combined with email compromise. 

Further Reading: Abnormal AI – Higher Ed: Duo OTP Theft & Account Compromise 

MatrixPDF Turns PDFs into Phishing & Malware Delivery Tools 

Varonis Threat Labs has documented a new attack toolkit, MatrixPDF, that weaponizes otherwise benign PDF files by adding malicious overlays, clickable prompts, and embedded JavaScript. The result: emails with PDF attachments easily pass through email filters and render seemingly innocuous in Gmail’s preview — but hidden actions trigger credential harvesting or malware deployment once interacted with. 

Key Insights 

• The attacker starts with a legitimate PDF and uses the MatrixPDF builder to inject malicious payload URLs, overlays, or fake “unlock document” prompts. 

• In Gmail preview mode, the PDF looks normal but displays blurred content and a prompt (“Open Secure Document”), enticing users to click. The click launches a redirect to the attacker’s hosted payload. 

• Because the PDF itself contains no binary payload (only scripts or annotations referencing external resources), many scan engines miss the malicious behavior entirely. 

• For desktop PDF viewers that support JavaScript, MatrixPDF can embed active scripts that execute on open or when certain prompts are clicked. 

• The toolkit supports appearance tweaks — custom icons, corporate logos, button styling — to increase believability and lower suspicion. 

Further Reading: Varonis – MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments 

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

LNK Malware Strategies: Surge in Shortcut File Attacks 

Unit 42 has detected a significant uptick in malicious use of Windows shortcut (LNK) files, with infections rising from approximately 21,100 in 2023 to over 68,400 in 2024. Their in-depth analysis of 30,000 samples highlights how attackers exploit the flexibility of LNK files to execute malware via four main techniques: exploit execution, file-on-disk execution, in-argument scripts, and overlay content. 

Key Insights: 

• Exploit Delivery: Malicious LNK files leverage OS vulnerabilities to trigger payload execution directly when folders are opened. 

• File Execution: Attackers use LNK shortcuts to launch hidden executables or scripts residing on disk. 

• In-Argument Scripts: LNK files embed commands within their arguments, often invoking PowerShell or cmd.exe with encoded scripts for stealthy execution. 

• Overlay Payloads: Hidden payloads are appended to LNK files, with execution triggered via utilities like findstr, mshta, or PowerShell to extract and run embedded code. 

Between March and April 2025, the rapid expansion in campaigns underscores the need for caution around downloading or opening unknown LNK files, especially those received via email or untrusted sources. 

Further Reading: Unit 42 

BERT Ransomware Hits Asia & Europe Across Multiple Platforms 

Trend Micro researchers have identified BERT, a newly emerged ransomware group targeting organizations in Asia, Europe, and the U.S.—notably within healthcare, technology, and event services sectors. First observed in April 2025, BERT operates across both Windows and Linux environments and stands out for its streamlined execution and powerful impact despite a relatively simple codebase. 

Key Insights: 

• Multi‑Platform Reach: BERT deploys across Windows and Linux systems. Windows attacks disable security tools and escalate privileges via PowerShell, while Linux variants operate with high parallelization—encrypting up to 50 threads and forcibly shutting down ESXi virtual machines to maximize impact. 

• Efficient Encryption Tactics: The ransomware halts critical processes, encrypts files quickly using AES, appends a .encrypted_by_bert extension, and drops ransom notes immediately. 

• Active Development & Russian Code Artifacts: Multiple variants have been identified, with code including Russian-language comments and hosted on Russian infrastructure—raising potential attribution links to Russia-aligned threat actors. 

• REvil Code Lineage: Analysts note similarities to the Linux variant of the now-dismantled REvil ransomware, suggesting BERT may be built using its leaked codebase. 

Further Reading: Trend Micro Research 

NordDragonScan: A Stealthy Data‑Harvester Targeting Windows 

FortiGuard Labs recently uncovered NordDragonScan, a covert Windows infostealer silently dropped via HTA scripts. Once executed, the malware harvests documents, full browser profiles, screenshots, system details, and even network inventory before exfiltrating everything to a command-and-control server. Installation begins through deceptive RAR archives and LNK files that trigger mshta.exe, concealing activity behind a decoy Ukrainian-language document. 

Key Insights: 

• Begins with a weaponized HTA dropped by a malicious LNK shortcut, leading to an invisible PowerShell installation of the payload. 

• NordDragonScan performs deep data collection, including documents (.docx, .pdf, .xls), screenshots, Chrome and Firefox history, system and network details. 

• Persistence is established via a Run-key registry entry; C2 communication occurs over TLS using custom headers (e.g. MAC-based user-agent). 

• Targets local network hosts for broader reconnaissance and evades static detection through string obfuscation and hidden executable tactics. 

Further Reading: Fortinet 

June 2025 Malware Spotlight: Discord Exploits Rise 

Check Point Research’s June 2025 malware spotlight reveals an escalating threat vector: hijacked Discord invite links. Attackers are exploiting expired or deleted invite codes—especially vanity URLs—to redirect users into malicious servers. Over 1,300 victims globally have been impacted, with malware like AsyncRAT and Skuld Stealer delivered via trusted platforms such as GitHub, Pastebin, and Bitbucket. 

Key Insights: 

• Hijacking Trusted Links: Threat actors reclaim expired or custom Discord invite links to lure users into malicious servers. 

• ClickFix Social Engineering: Victims encounter fake verification bots that execute clipboard injections and PowerShell commands. 

• Stealthy Delivery Chain: Malware is deployed in multiple stages using trusted cloud services to evade detection. 

• Widespread Impact: The campaign has affected users in the U.S., Vietnam, Germany, France, and the U.K., primarily targeting cryptocurrency users. 

Further Reading: Check Point Research 

Jasper Sleet: North Korean Remote IT Workers Use AI to Infiltrate Organizations 

Microsoft Threat Intelligence has identified a surge in activity from the North Korea-linked threat actor Jasper Sleet, formerly tracked as Storm‑0287. These operatives are exploiting remote work arrangements to embed themselves within organizations worldwide. Using AI tools to enhance fake identities, they are securing employment, gaining access to sensitive systems, and exfiltrating data to support North Korea’s strategic and financial objectives. 

Key Insights: 

• Jasper Sleet operatives use AI for facial and voice modification to impersonate real job seekers. 

• Fake identities are supported by fabricated credentials, doctored online profiles, and complicit facilitators. 

• The campaign targets a wide range of industries across North America, Europe, and Asia. 

• Over 3,000 accounts have been suspended due to links to this operation. 

• Common tactics include the use of residential IPs, remote access software, and resume laundering. 

Further Reading: Microsoft Security Blog 

Preventing ClickFix Attacks: A Critical Playbook 

Unit 42 outlines the growing prevalence of ClickFix social-engineering attacks—where users are duped into copying and executing malicious commands from deceptive web prompts. Given these attacks' reliance on clipboard manipulation and prompt hijacking (especially via PowerShell), defenders must adopt both technical and educational countermeasures. 

Key Insights: 

• Clipboard Monitoring Defenses: Alerts should trigger when suspicious commands are copied, especially PowerShell scripts; clipboard activity monitoring complements traditional endpoint detection measures. 

• Restricting Shell Execution: Limit or disable mshta.exe, PowerShell, and cmd.exe execution unless explicitly required—and particularly from web-origin contexts—to reduce attack success rates. 

• Harden User Prompts: Implement policies to disable or neuter clipboard/paste functionality in browser environments vulnerable to web-based injection prompts. 

• User Education is Key: Train users to recognize fake CAPTCHAs and unusual ‘copy-and-paste’ prompts. Clear guidance—such as “never paste commands into system prompts”—can disrupt the attack lifecycle. 

Further Reading: Unit 42 

RenderShock: Weaponizing Trust in File Rendering Pipelines 

Cybersecurity researchers at Cyfirma (with corroboration from IBM X-Force) have revealed a stealthy, zero-click attack strategy dubbed RenderShock. This sophisticated technique exploits passive file-rendering systems—like preview panes, metadata indexing, and sync clients—to discreetly trigger malicious activity without any user action. 

Key Insights: 

• Zero-Click Payloads: Attackers embed malicious logic into document metadata, file previews, or automation workflows that execute when files are merely indexed or previewed—not opened. 

• Multi-Vector Exploits: The framework targets diverse surfaces like Windows Explorer preview panes, macOS Quick Look, email client renderers, cloud sync tools, and antivirus scanners to activate payloads. 

• Stealth & Modularity: RenderShock uses simple evasion tactics—like executing reverse-shell macros or NTLM beaconing via UNC paths—and also advanced payloads such as dual-format polyglots, remote Office templates, and poisoned EXIF metadata. 

• Wide Impact Potential: Capabilities range from reconnaissance and credential harvesting to remote execution and lateral movement, all without requiring user interaction. 

• Defense Strategies: Mitigation relies on disabling preview/indexing features, sandboxing file handling, blocking SMB egress, monitoring unusual network activity from renderer processes, and simulating RenderShock techniques in red team exercises. 

Further Reading: Cyfirma 

Gemini Email Summary Phishing: Invisible Prompt Injection Risk 

A newly discovered vulnerability in Google’s Gemini for Workspace demonstrates how attackers can embed hidden instructions in emails—styled with invisible text—so that clicking “Summarize this email” invokes the malicious prompt. This can result in fake security alerts, phishing links, or fraudulent phone numbers appearing in AI-generated summaries. 

Key Insights: 

• Attackers hide directives using invisible HTML/CSS that Gemini parses but users can’t see. 

• Summarized messages may falsely warn of compromised accounts and urge recipients to click links or call numbers. 

• Because there are no obvious phishing signals (like attachments or visible links), these emails bypass typical threat detection. 

• Security teams should flag summaries containing urgent calls to action and train users to verify full email content. 

Further Reading: Bleeping Computer 

Deepfake It ‘til You Make It: The New AI Criminal Toolset 

Cybercriminals are increasingly exploiting deepfake technology to conduct fraud, extortion, and manipulation campaigns. Originally built for creative or entertainment purposes, AI-driven tools for generating fake audio, video, and images are now widely available and being misused to impersonate individuals and mislead organizations. 

Key Insights: 

• Democratized Deepfake Creation: Tools for generating synthetic media are now easy to use, enabling low-skilled actors to produce realistic forgeries. 

• CEO Fraud & Recruitment Exploits: Deepfake audio and video are being used to impersonate executives during meetings or to create fake candidate profiles in hiring scams. 

• KYC & Identity Fraud Risks: Attackers use deepfakes to bypass identity verification processes at banks and fintech platforms, facilitating account fraud. 

• Plug-and-Play Underground: Criminal communities are sharing deepfake tools, tutorials, and services, lowering the barrier to entry for would-be attackers. 

Further Reading: Trend Micro 

PoisonSeed Bypasses FIDO Keys Using Cross‑Device Sign‑In Trick 

Expel researchers uncovered a clever social engineering tactic used by the PoisonSeed campaign to neutralize FIDO hardware key protections. Instead of exploiting a technical flaw, attackers employ phishing pages and QR codes in a man-in-the-middle scenario that targets FIDO’s cross-device sign-in feature, fooling victims into granting access without physical key interaction. 

Key Insights: 

• A phishing website mimicking Okta captures login credentials and forwards them to the legitimate portal. 

• It then prompts a cross-device sign-in, displaying a QR code that, when scanned by the user, inadvertently authenticates the attacker. 

• No vulnerability in FIDO itself is exploited; attackers manipulate design workflows to bypass multi-factor authentication. 

• Although FIDO keys remain strong, this tactic bypasses them in real time without user awareness. 

• Organizations should monitor for unexpected cross-device login requests and consider options like requiring Bluetooth proximity or restricted registration policies. 

Further Reading: Expel 

SLOW#TEMPEST Malware Spotlight: Advanced Obfuscation Techniques Unveiled 

Unit 42 has analyzed a recent variant of the SLOW#TEMPEST malware campaign, revealing sophisticated obfuscation—such as dynamic jumps and indirect function calls—used by threat actors to hinder both static and dynamic analysis. 

Key Insights: 

• Control-Flow Obfuscation: The loader DLL uses runtime-calculated jumps (JMP RAX) to scramble execution paths, making conventional CFG analysis unreliable. 

• Indirect Calls: Instead of direct API calls, SLOW#TEMPEST employs dynamically resolved function pointers (CALL RAX), complicating detection of malicious functionality. 

• Emulation-Based Deobfuscation: Researchers successfully reversed obfuscation by emulating dynamic jumps and calls in IDA Pro, restoring visibility into the control flow and API usage. 

• Evasion of Sandboxes: These techniques prevent decompilers and automated sandboxes from recognizing malicious behavior, allowing the malware to remain hidden and active. 

• Detection Takeaway: Security teams should enhance defenses with emulation, behavioral telemetry, and control-flow integrity mechanisms to detect threats that evade traditional signature-based analysis. 

Further Reading: Unit 42 

Matanbuchus Malware Delivered via Microsoft Teams Calls 

Security researchers have alerted to a targeted campaign where attackers exploit Microsoft Teams voice calls—impersonating IT support—to remotely deploy Matanbuchus 3.0 malware. Victims are persuaded to use Windows Quick Assist, opening remote access doors. A PowerShell script then deploys a malicious ZIP package containing a side-loaded DLL loader, which initiates memory-resident infection without leaving obvious traces. 

Key Insights: 

• Social Engineering via Teams: Callers pose as IT personnel to earn trust and initiate remote-control sessions. 

• Quick Assist Abuse: Remote assistance tools are misused to bypass controls and execute malicious scripts. 

• In-Memory Loader: The malware uses PowerShell to unpack a DLL loader that sideloads the final payload without disk artifacts. 

• Advanced Evasion: Version 3.0 introduces Salsa20-based encryption, syscall usage to evade EDR hooks, and anti-sandbox mechanisms. 

• High-Risk Payload: Matanbuchus 3.0 can deploy additional threat tools like Cobalt Strike and ransomware, providing full system control. 

Further Reading: Bleeping Computer 

FileFix: A Social Engineering Evolution of ClickFix 

Check Point Research has uncovered FileFix, a new social engineering attack that refines the ClickFix method to trick users into executing malicious commands. Delivered through compromised or typo-squatted websites, FileFix prompts victims with a fake download link or “Fix” button—copying harmful PowerShell scripts to the clipboard. When users paste and run these snippets, the attacker gains system access through a stealthy, multi-stage infection chain. 

Key Insights: 

• FileFix uses clipboard hijacking to push malicious payloads via user-initiated paste actions. 

• Fake prompts mimic legitimate "fix" or software update buttons to build trust. 

• Infection unfolds in stages—from initial PowerShell downloaders to final payloads like AsyncRAT or remote access trojans. 

• This variation simplifies and accelerates command execution compared to previous ClickFix variants. 

• Detection requires user awareness and endpoint policies that block shell execution from clipboard content. 

Further Reading: Check Point Research 

Linkable Token Identifiers Now GA for Enhanced Identity Threat Detection 

Microsoft Entra ID has launched linkable token identifiers—a new capability that allows security teams to trace a user session across Microsoft 365 services (including Teams, SharePoint, Exchange Online, and Graph). Each session is now tagged with a Session ID (SID) and Unique Token Identifier (UTI), enabling precise correlation of all actions originating from a single authentication event across multiple workloads. 

Key Insights: 

• SID enables linkage of all access tokens and session activity from one login, while UTI uniquely identifies each issued token. 

• Security analysts can now trace attacker movements—such as lateral access, API usage, or mailbox actions—across services using unified session tracking. 

• This simplifies investigation workflows, reducing reliance on fragmented logs or inconsistent identifiers like IP addresses and device IDs. 

• SOCs using Defender XDR and Entra ID Protection can now map anomalous activity with greater accuracy and speed. 

Further Reading: Microsoft Entra Blog 

FBI & CISA Update on Tactics & Threats for Scattered Spider 

Critical infrastructure and commercial entities are urged to review CISA's updated joint advisory AA23‑320A (last revised July 29, 2025), detailing evolving tactics used by the Scattered Spider cybercriminal group. Known for preying on IT and help desk personnel, this financially motivated threat actor now combines social engineering, ransomware, and data extortion with sophisticated new techniques. 

Key Insights: 

• Scattered Spider continues targeting IT support channels using voice phishing (vishing), SMS phishing (smishing), and MFA fatigue attacks alongside SIM swapping to obtain access credentials. 

• Once inside, attackers repurpose legitimate remote-access and tunneling tools (e.g. TeamViewer, AnyDesk, Ngrok) instead of relying on malware, enabling stealthy and persistent access. 

• New variants like DragonForce ransomware are now being deployed as part of combined extortion operations (data theft + encryption). 

• In recent operations, actors have refined social engineering methods while rotating TTPs to evade detection and extend dwell time. 

• Updated mitigations emphasize phishing-resistant MFA, verifying helpdesk contacts out-of-band, limiting remote access tool use, and continuous validation of security controls against evolving attack behaviors. 

Further Reading: CISA Advisory AA23‑320A (Scattered Spider) 

Phishing Trends Q2 2025: Microsoft at the Helm, Spotify Rejoins the Spotlight 

Check Point Research’s latest Brand Phishing report reveals that in the second quarter of 2025, cybercriminals continued to impersonate high-trust brands to trick users into revealing credentials or financial data. Microsoft remained the most spoofed brand—used in 25% of phishing attempts—followed by Google (11%), Apple (9%), and Spotify (6%), marking Spotify’s first reappearance in the charts since late 2019. 

Key Insights: 

• Microsoft led phishing campaigns, accounting for a quarter of all spoofed brands. 

• Spotify saw a surprising resurgence in impersonation attempts after a long absence, used in campaigns involving fake credential and payment pages. 

• Booking.com–themed domains surged by over 700 in Q2, many embedding personal user data to deceive targets convincingly. 

• Tech remained the top spoofed sector, with social networks, travel, and retail brands also seeing elevated impersonation activity. 

• Seasonal alignment played a key role: the rise in travel scams coincided with summer holiday planning, amplifying phishing success. 

Further Reading: Check Point Research 

Microsoft OAuth Phishing Campaign: MFA Bypass via App Impersonation 

Proofpoint has exposed a sophisticated phishing campaign where attackers used malicious Microsoft OAuth applications—disguised as trusted brands like Adobe, DocuSign, and SharePoint—to trick users into granting access to their Microsoft 365 accounts. These apps operated within legitimate authorization flows, enabling attackers to bypass multi-factor authentication (MFA) with minimal-risk consent requests. 

Key Insights: 

• The fake OAuth apps mimicked trusted publishers to obtain permissions for profile, email, and openid scopes—enough to capture credentials and session tokens without raising suspicion. 

• Once approved, users were redirected to phishing pages that intercepted login credentials and session tokens using AiTM (attacker-in-the-middle) kits like Tycoon or EvilProxy. 

• Attackers were able to maintain access via stolen tokens even after password resets, remaining linked to accounts until consent was manually revoked. 

• The campaign compromised multiple sectors—including finance, healthcare, and retail—targeting executives and high-privilege users. 

• Standard security controls such as DMARC or domain reputation were largely ineffective since the phishing originated from within Microsoft's system. 

• Microsoft is rolling out updated defaults that require administrative approval for third-party app permissions, aiming to limit similar attacks going forward. 

Further Reading: Proofpoint Threat Insight 

GreyNoise: Early Warning Signals Reveal Emerging Vulnerabilities Before Public Disclosure 

GreyNoise’s latest research, “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities”, demonstrates that spikes in malicious activity—such as scanning or brute force attempts—often occur weeks before a corresponding CVE is officially disclosed. This pattern is most pronounced in edge technologies like VPNs, firewalls, and remote access tools. Of 216 observed spikes since September 2024, 80% were followed by a CVE within six weeks, and 50% within just three weeks. 

Key Insights: 

• Attacker reconnaissance frequently precedes public identification of the vulnerability they are probing. 

• Spikes in exploit activity offer a critical 6-week window for defenders to prepare before official disclosure. 

• This trend is particularly prevalent in enterprise perimeter devices—typical initial access points for adversaries. 

• Relying solely on EPSS or KEV can miss these pre-disclosure threats and delay defensive response. 

Further Reading: GreyNoise Early Warning Signals Report 

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

Camera Off: Akira Deploys Ransomware via Webcam 

Akira, a notorious ransomware group, has demonstrated a novel technique by bypassing Endpoint Detection and Response (EDR) tools through the compromise of unsecured webcams. After facing detection while attempting to deploy ransomware on a Windows server, Akira pivoted to target a vulnerable webcam on the victim's network. This device, running a lightweight Linux OS and lacking EDR, allowed the group to deploy Linux-based ransomware successfully. This incident emphasizes the importance of securing IoT devices and enhancing patch management strategies. 

Key Insights: 

• IoT devices, such as webcams, can be used as pivot points for attackers to bypass traditional security tools like EDR. 

• Akira's adaptability highlights how ransomware groups are evolving and using multiple platforms for attacks. 

• Organizations should prioritize securing all devices, including IoT, and ensuring comprehensive patch management. 

Further Reading: S-RM 

Not Just for Developers: How Product and Security Teams Can Use GitHub Copilot 

GitHub Copilot is transforming not just development teams but also product and security teams. With its AI-powered code generation, it can assist security teams in identifying vulnerabilities faster and help product teams in generating feature specifications or optimizing documentation. Copilot's integration into the workflow allows these teams to accelerate their tasks and focus more on strategy rather than repetitive tasks, improving efficiency and productivity across the board. 

Key Insights: 

• GitHub Copilot isn't just for coders; it’s valuable for security and product teams too. 

• It accelerates vulnerability identification and aids in documentation and feature specification. 

• Teams can leverage AI to improve efficiency and focus on high-impact work. 

Further Reading: GitHub Blog 

Blink and They're In: How Rapid Phishing Attacks Exploit Weaknesses 

Phishing attacks are accelerating, with attackers exploiting weaknesses in systems faster than security teams can respond. In one notable case, attackers gained control of a network in just 48 minutes using social engineering and a flood of spam emails, followed by convincing employees to give remote access. These attacks leverage low-tech tactics, such as using legitimate tools like Microsoft Teams and Quick Assist, to bypass security defenses. 

Key Insights: 

• Attackers are exploiting basic social engineering tactics, such as impersonating IT help desks, to gain control of devices. 

• Rapid response times (48 minutes in this case) highlight the need for automated security measures. 

• Preventative measures include verifying help-desk staff interactions and locking down remote access tools like Quick Assist. 

Further Reading: ReliaQuest 

ACRStealer Infostealer Exploiting Google Docs as C2 

ACRStealer, a new type of infostealer, is taking a unique approach by using Google Docs as an intermediary command-and-control (C2) server. Threat actors hide malicious commands within Google Docs files, leveraging Base64 encoding to keep the communication with the C2 server hidden. The infostealer targets a wide range of sensitive information, including browser data, cryptocurrency wallet files, FTP credentials, and even chat program data. This shift in tactics highlights the evolving nature of cybercrime and the need for robust monitoring and secure data handling practices to detect and prevent such attacks. 

Key Insights: 

• ACRStealer uses Google Docs, telegra.ph, and Steam as intermediary C2 servers, making it harder to detect the malware's activity. 

• The malware targets sensitive data like browser history, cryptocurrency wallet files, and FTP credentials. 

• It continues to evolve by hiding its communication strings within different services to evade detection. 

Further Reading: AhnLab 

SecTopRAT Bundled in Chrome Installer Distributed via Google Ads 

A new phishing attack is leveraging Google Ads to distribute a fake Google Chrome installer bundled with SecTopRAT, a remote access Trojan (RAT) with stealer capabilities. Users searching for the legitimate Google Chrome installer are led to a malicious Google Sites page, where they unknowingly download the malware disguised as Chrome. The attack bypasses Windows Defender by dynamically retrieving and decrypting the malicious payload, allowing attackers to inject the malware into a legitimate process, giving them control of the victim's system. 

Key Insights: 

• The malware is hidden in a fake Chrome installer, which is distributed through Google Ads and Google Sites. 

• Once installed, SecTopRAT is deployed, giving attackers remote access and the ability to steal sensitive data. 

• The attack evades detection by dynamically downloading the malware and using anti-virus evasion techniques. 

Further Reading: Malwarebytes 

Abusing CSS for Evasion and Tracking: A New Threat 

Cybercriminals are increasingly abusing Cascading Style Sheets (CSS) to evade detection and track users. By using techniques like hidden text salting, attackers can insert irrelevant, invisible content into emails to bypass spam filters and email parsers. This method can also be used to track user actions and preferences, even when email clients restrict dynamic content like JavaScript. 

These tactics include setting text to invisible properties, manipulating opacity, and hiding content off-screen. Attackers can exploit this for phishing emails and even to fingerprint users based on their system configurations. 

Key Insights: 

• CSS properties like text-indent and opacity are used to conceal malicious content and bypass security measures. 

• CSS can also be abused for tracking user actions and preferences, allowing for advanced targeting in phishing campaigns. 

• Security teams should educate employees about these new evasion tactics and strengthen email defenses. 

Further Reading: Talos Intelligence 

Remote Monitoring and Management (RMM) Tools: Attackers’ First Choice 

Cybercriminals are increasingly turning to legitimate Remote Monitoring and Management (RMM) tools as their first-stage payloads in email campaigns. These tools, typically used by IT teams for managing multiple systems remotely, are now being exploited to collect data, steal finances, and deploy additional malware, including ransomware. In 2024, there was a marked shift, with RMM tools like ScreenConnect, Fleetdeck, and Atera replacing traditional loaders and botnets. This trend emphasizes the need for organizations to monitor remote management tools carefully and ensure they are not abused by attackers. 

Key Insights: 

• RMM tools are being used to facilitate cyberattacks by granting attackers remote access to systems. 

• The use of RMM tools as a first-stage payload is increasing, replacing older attack methods. 

• Organizations must secure their RMM tools and ensure they are used appropriately. 

Further Reading: Proofpoint Blog 

ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims 

The ClickFix technique has gained significant traction among cybercriminals due to its ability to manipulate users into executing malicious actions. By using a clever mix of human psychology and obfuscation, attackers deploy this technique to bypass security systems and install malware. The attack typically involves fake CAPTCHA-like elements, tricking victims into clicking on links or downloading malicious files. This technique has become increasingly popular due to its effectiveness in evading traditional detection methods. 

Key Insights: 

• ClickFix uses obfuscation to bypass security measures and execute malicious actions. 

• Attackers exploit human psychology to trick users into performing actions that compromise security. 

• Organizations should educate employees on recognizing manipulative tactics like ClickFix and improve multi-layered defenses. 

Further Reading: Group-IB Blog 

ESET Discovers Zero-Day Exploit in Windows Kernel (CVE-2025-24983) 

ESET Research has uncovered a zero-day exploit leveraging the CVE-2025-24983 vulnerability in the Windows Kernel, allowing attackers to elevate their privileges. First observed in the wild in March 2023, this exploit was used in conjunction with the PipeMagic backdoor, compromising targeted systems. The discovery highlights the continued use of kernel vulnerabilities in advanced attacks and the importance of regular patching and security monitoring to protect against zero-day threats. 

Key Insights: 

• The exploit targets a critical Windows Kernel vulnerability (CVE-2025-24983), enabling privilege escalation. 

• The attack was first observed in March 2023 and delivered through the PipeMagic backdoor. 

• Organizations must prioritize timely updates and monitoring for signs of this and similar vulnerabilities. 

Further Reading: ESET Research on Bluesky 

From Data to Defense: Insights from ReliaQuest’s 2025 Annual Threat Report 

The 2025 Annual Threat Report from ReliaQuest reveals the rapidly increasing speed of cyberattacks, with attackers moving from initial access to lateral movement in just 48 minutes. AI and automation are now key tools for both attackers and defenders, with organizations needing to integrate AI-driven solutions to keep pace. Phishing remains the primary method of attack, but ransomware tactics are evolving, with more emphasis on data exfiltration rather than encryption. The report offers actionable recommendations, including the need for automated responses, securing remote services, and enhancing logging practices to better track and prevent breaches. 

Key Insights: 

• Attackers now complete lateral movement in 48 minutes, stressing the importance of rapid detection and response. 

• AI and automation are critical to addressing the evolving cyberthreat landscape. 

• Ransomware is shifting towards exfiltration and data extortion. 

Further Reading: ReliaQuest 

Microsoft 365 Targeted in New Phishing, Account Takeover Attacks 

New phishing campaigns are leveraging Microsoft 365's infrastructure to conduct account takeover (ATO) attacks, exploiting tenant misconfigurations and using OAuth redirection. One campaign involves attackers sending phishing emails using Microsoft’s own infrastructure, making detection difficult. These emails, masquerading as legitimate Microsoft notifications, direct victims to call centers, bypassing security controls. Another attack uses OAuth apps pretending to be Adobe and DocuSign to steal credentials and deploy malware. Security teams must be vigilant in securing OAuth applications and scrutinizing internal communications. 

Key Insights: 

• Phishing attacks are exploiting Microsoft 365’s infrastructure for ATO attacks. 

• Attackers use fake support contacts and legitimate-looking emails to trick victims. 

• OAuth applications masquerading as trusted brands are used for stealing credentials and deploying malware. 

Further Reading: SecurityWeek 

AI Agent Attacks: A New Threat with Serious Implications 

AI agents, like OpenAI's Operator, are being used by attackers to automate cyberattacks such as phishing, malware creation, and setting up attack infrastructure. As these AI tools become more accessible, they lower the entry barrier for cybercriminals, increasing the risk of widespread and damaging attacks. 

Key Insights: 

• AI agents automate complex attacks, including phishing and malware creation. 

• These tools reduce the effort required for attacks, making them more accessible to cybercriminals. 

• Organizations should strengthen detection systems and control access to mitigate AI-driven threats. 

Further Reading: Symantec Blog 

JavaGhost’s Persistent Phishing Attacks From the Cloud 

JavaGhost, an active cybercriminal group, has evolved from website defacement to launching sophisticated phishing attacks. They exploit misconfigurations in Amazon Web Services (AWS) environments, leveraging services like Amazon Simple Email Service (SES) to send phishing emails using the infrastructure of compromised organizations. These attacks are particularly insidious, bypassing traditional email protections due to the legitimacy of the sending source. JavaGhost has adapted advanced evasion techniques to obscure their activities, making detection harder for defenders. 

Key Insights: 

• JavaGhost exploits AWS misconfigurations to send phishing emails, bypassing email protections. 

• They use advanced evasion techniques to obscure their presence in cloud logs. 

• Organizations must secure AWS environments, restrict IAM permissions, and implement enhanced detection methods. 

Further Reading: Unit42 Blog 

Buying Browser Extensions: A Dangerous Security Risk 

In a recent investigation, it was revealed how attackers are buying up popular browser extensions and using them for malicious purposes. Extensions that started as helpful tools can easily be sold to the highest bidder, transforming into spyware or data harvesters without the original developers or users being notified. This risky practice allows new owners to repurpose permissions, such as tracking browsing behavior or stealing sensitive data, all without any visible changes to the extension’s appearance. 

Key Insights: 

• Extensions can be sold and repurposed for malicious use, including tracking user data or even stealing login credentials. 

• The process of transferring ownership of extensions is relatively easy, with few security checks from platforms like Google Chrome. 

• Organizations should actively monitor the extensions in use and verify the legitimacy of any new updates or ownership changes to prevent security risks. 

Further Reading: Secure Annex Blog 

Menlo Security Report: 130% Increase in Zero-Hour Phishing Attacks and Nearly 600 Incidents of GenAI Fraud 

Menlo Security's 2025 State of Browser Security Report reveals a 130% increase in zero-hour phishing attacks and highlights nearly 600 incidents of GenAI fraud. Attackers are using generative AI to impersonate legitimate platforms and manipulate users into disclosing personal information. Additionally, cybercriminals are leveraging sophisticated evasion techniques to bypass traditional security systems. With phishing sites growing by nearly 700% since 2020, organizations must prioritize browser security to mitigate these evolving threats. 

Key Insights: 

• A surge in generative AI-based fraud, with cybercriminals impersonating platforms to steal personal data. 

• Nearly 1M new phishing sites are created monthly, reflecting a 700% increase since 2020. 

• Attackers are increasingly exploiting cloud services like AWS and CloudFlare for malicious content hosting. 

Further Reading: Menlo Security 

Is Firebase Phishing a Threat to Your Organization? 

Firebase, a platform commonly used for app development, has been exploited in phishing attacks targeting organizations. Attackers can hijack Firebase’s authentication services to launch phishing campaigns, tricking users into divulging sensitive information. These attacks can be used to steal credentials, and in some cases, manipulate cloud-based services that organizations rely on. With Firebase being a trusted service, users may not immediately recognize these phishing attempts, making it a potent tool for attackers. 

Key Insights: 

• Firebase is being exploited for phishing attacks, often targeting organizations’ authentication systems. 

• Users may unknowingly fall victim due to Firebase’s trusted reputation. 

• Organizations need to be aware of how Firebase can be misused and take proactive measures to secure their systems. 

Further Reading: Check Point Blog 

RansomHub's EDRKillShifter: Unveiling Evolving Ransomware Tactics 

ESET's recent research delves into RansomHub, a prominent ransomware-as-a-service (RaaS) group that emerged in early 2024. The study uncovers RansomHub's connections to established gangs like Play, Medusa, and BianLian, highlighting the dynamic nature of ransomware operations. A focal point of the research is EDRKillShifter, a custom tool developed by RansomHub to disable endpoint detection and response (EDR) systems, enhancing the effectiveness of their attacks. This tool exemplifies the evolving sophistication of ransomware tactics, emphasizing the need for advanced security measures to counteract such threats.  

Key Insights: 

• RansomHub's Emergence: Rapidly rose to prominence in 2024, surpassing established ransomware groups in activity.  

• EDRKillShifter Tool: A custom-developed EDR killer that targets various security solutions to facilitate attacks.  

• Affiliate Connections: Links between RansomHub and other ransomware gangs, suggesting a fluid and interconnected threat landscape.  

Further Reading: ESET Research 

Google Announces Sec-Gemini v1: An Experimental AI Model for Cybersecurity 

Google has introduced Sec-Gemini v1, an experimental AI model designed to enhance cybersecurity operations. By integrating advanced reasoning capabilities with near real-time cybersecurity knowledge, Sec-Gemini v1 aims to improve tasks such as incident root cause analysis, threat analysis, and understanding vulnerability impacts. The model combines Gemini's AI capabilities with data from sources like Google Threat Intelligence (GTI) and the Open Source Vulnerabilities (OSV) database, resulting in superior performance on key cybersecurity benchmarks. Google is offering Sec-Gemini v1 to select organizations, institutions, professionals, and NGOs for research purposes to foster collaboration in advancing AI-driven cybersecurity solutions.  

Key Insights: 

• Sec-Gemini v1 integrates AI with real-time cybersecurity data to enhance security operations.  

• The model outperforms others on benchmarks like CTI-MCQ and CTI-Root Cause Mapping.  

• Google is providing access to Sec-Gemini v1 for research collaborations to advance AI in cybersecurity.  

Further Reading: Google Security Blog 

Off the Beaten Path: Recent Unusual Malware 

Unit 42 researchers have identified several distinctive malware samples exhibiting uncommon characteristics and techniques: 

• C++/CLI IIS Backdoor: A passive backdoor for Internet Information Services (IIS) developed using C++/CLI—a rarely used programming language in malware development. It employs evasive techniques to facilitate unauthorized access. 

• Dixie-Playing Bootkit: This bootkit leverages an unsecured kernel driver to install a GRUB 2 bootloader in a highly unconventional way, showing a creative approach to persistence and system control. 

• ProjectGeass Post-Exploitation Framework: A Windows-based implant of a cross-platform post-exploitation framework written in C++. While not groundbreaking in technique, its atypical structure distinguishes it from mainstream frameworks. 

These samples demonstrate the evolving nature of malware and the increasing variety of methods attackers are using to bypass defenses. 

Further Reading: Unit 42 Blog 

ClickFix: A Deceptive Malware Deployment Technique 

Cybercriminals are employing a tactic known as "ClickFix," which masquerades as a CAPTCHA verification to trick users into executing commands that download malware. This scheme prompts users to press a series of keyboard shortcuts—Windows + R, Ctrl + V, and Enter—that open the Run dialog, paste malicious code, and execute it via mshta.exe, a legitimate Windows utility. This method has been used to deliver various malware families, including XWorm, Lumma Stealer, and AsyncRAT. 

Key Insights: 

• ClickFix attacks exploit user actions to bypass security measures, leading to the installation of credential-stealing malware. 

• Industries such as hospitality and healthcare have been targeted, with attackers impersonating trusted entities like Booking.com. 

• The attack leverages legitimate Windows functionalities (mshta.exe) to execute malicious code, complicating detection efforts. 

Further Reading: Krebs on Security 

PoisonSeed Phishing Campaign Targets Email and CRM Providers 

The PoisonSeed phishing campaign has been identified targeting email and CRM providers, including Mailchimp, Mailgun, and Zoho, to gain unauthorized access to high-value accounts. Attackers create convincing phishing pages that closely resemble legitimate login portals to harvest user credentials. Once access is obtained, they download email lists for use in cryptocurrency-related spam operations. Notably, security expert Troy Hunt fell victim to such an attack, highlighting the sophistication of these phishing attempts. 

Key Insights: 

• PoisonSeed employs highly convincing phishing pages to compromise accounts of email and CRM service providers. 

• Compromised accounts are used to disseminate cryptocurrency-related spam, potentially leading to further financial fraud. 

• Even cybersecurity professionals have been deceived by these tactics, underscoring the need for heightened awareness. 

Further Reading: CSO Online 

98% Increase in Phishing Campaigns Using Russian (.ru) Domains 

Recent analyses have revealed a 98% surge in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) between December 2024 and January 2025. These campaigns primarily aim to harvest user credentials by employing tactics such as QR codes, auto-redirects, and multi-layered attachments to direct victims to phishing websites. Notably, many of these phishing emails have bypassed security products, including Exchange Online Protection and Barracuda Email Security Gateway. 

Key Findings: 

• 1,500 unique .ru domains identified in the campaign. 

• 377 new domains registered with the "bulletproof" registrar R01-RU. 

• Over 13,000 malicious emails reported. 

• 2.2% of observed emails from .ru domains were phishing attempts. 

• Average age of a .ru domain used in these attacks is 7.4 days. 

Industries Targeted: 

• Business and Economy (36.09%) 

• Financial Services (12.44%) 

• News & Media (8.27%) 

• Health and Medicine (5.6%) 

• Government (4.51%) 

Further Reading: KnowBe4 Blog 

Pharmacist Allegedly Used Keyloggers to Spy on Coworkers at Maryland Hospital 

A former pharmacist at the University of Maryland Medical Center is accused of secretly installing keylogging software on nearly 400 hospital computers over a decade. The class-action lawsuit claims he accessed coworkers’ login credentials, personal files, and even activated webcams in patient exam rooms. The hospital is also being sued for allegedly failing to detect or respond to the breach in a timely manner. 

Key Insights: 

• Keyloggers were reportedly used to steal credentials and access private communications. 

• The software was allegedly installed across hundreds of hospital systems without detection. 

• The incident underscores the importance of monitoring for insider threats and unauthorized software. 

Further Reading: The Record 

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

Exploring Q4 2024 Brand Phishing Trends: Microsoft Remains the Top Target as LinkedIn Makes a Comeback 

In the final quarter of 2024, Microsoft continued to be the most targeted brand in phishing campaigns, but LinkedIn made a significant comeback, appearing as a top target for the first time in years. Phishing actors are increasingly leveraging trusted brands to deceive users, with attacks designed to steal sensitive credentials and install malware. Organizations must continue to strengthen defenses against these brand impersonation attacks to protect their users and data. 

Key Insights: 

• Microsoft remains the primary target in brand phishing campaigns, with attackers frequently using its name to trick users into disclosing credentials. 

• LinkedIn’s resurgence as a phishing target highlights the shifting tactics of cybercriminals, who are capitalizing on platforms that users trust. 

• Organizations need to implement strong anti-phishing measures, including employee training and advanced detection tools, to defend against these evolving threats. 

Further Reading: Checkpoint Blog 

Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks 

Cybercriminals are continuing to exploit the legitimate remote monitoring and management (RMM) tool, ScreenConnect, to maintain persistence in cyberattacks. Threat actors are using social engineering to lure victims into installing altered versions of ScreenConnect, which gives them control over victims’ systems. This tool is particularly used to target sensitive data, with specific campaigns focused on Social Security recipients. The attacks are facilitated through bulletproof hosting providers, making it challenging to trace and mitigate these threats. 

Key Insights: 

• ScreenConnect is being used by threat actors to gain persistent access to victims’ systems. 

• Malicious versions of the software are being disguised as legitimate files, such as eStatements from the Social Security Administration. 

• Social engineering tactics are employed to trick users into installing compromised software. 

• Bulletproof hosting providers are being used to shelter malicious activities, making them harder to disrupt. 

Further Reading: Silent Push 

Hackers Spoof Microsoft ADFS Login Pages to Steal Credentials 

Hackers are spoofing Microsoft Active Directory Federation Services (ADFS) login pages to steal user credentials. This attack leverages the trust users have in Microsoft’s secure login page by creating fake versions that closely resemble the original. Once victims enter their credentials, the attackers steal the information for malicious purposes. This highlights the importance of verifying login pages and using multi-factor authentication to protect against such credential theft. 

Key Insights: 

• Hackers are creating fake versions of Microsoft ADFS login pages to capture user credentials. 

• These attacks rely on users trusting the Microsoft login page, making them difficult to detect. 

• Multi-factor authentication (MFA) and vigilant scrutiny of login pages can help prevent successful credential theft. 

Further Reading: BleepingComputer 

Racing the Clock: Outpacing Accelerating Attacks 

In 2024, cyberattack speeds surged, with the average breakout time dropping to just 48 minutes, a 22% reduction from the previous year. Key factors behind this acceleration include more efficient Ransomware-as-a-Service (RaaS) operations, a rise in infostealers, and the use of AI-powered penetration testing tools. As attacks become faster, organizations must enhance their security measures to match the pace of threat actors, leveraging automation and AI to reduce response times and contain attacks before they spread. 

Key Insights: 

• Breakout time—the time from initial access to lateral movement—has decreased to 48 minutes, making it crucial to respond quickly. 

• Infostealers and IABs (Initial Access Brokers) are driving faster breaches by providing quick access to compromised systems. 

• Automation and AI-driven tools are essential for organizations to respond to attacks more efficiently and minimize damage. 

Further Reading: ReliaQuest 

VidSpam: A New Threat Emerges as Bitcoin Scams Evolve from Images to Video 

Bitcoin scams targeting mobile users are evolving with attackers now using video-based spam (VidSpam) to deceive victims. These scammers are sending small video file attachments to lure individuals into fraudulent schemes. The videos often direct recipients to high-pressure WhatsApp groups where personal information or money is extracted. This evolution from image-based scams to video content marks a troubling trend in mobile security. 

Key Insights: 

• Attackers are using small video files (e.g., 14KB .3gp files) to promote Bitcoin scams through multimedia messages. 

• The video attachments encourage victims to join WhatsApp groups where scammers use pressure tactics to steal money or data. 

• As scammers refine their tactics, VidSpam is expected to increase, targeting unsuspecting mobile users. 

Further Reading: Proofpoint 

January 2025’s Most Wanted Malware: FakeUpdates Continues to Dominate 

FakeUpdates malware remains the top threat in January 2025, continuing its dominance in the malware landscape. This malware is primarily distributed through fake software updates that users are tricked into downloading. Once installed, it can enable attackers to take control of the system and steal sensitive information. The persistence of FakeUpdates emphasizes the need for cautious behavior when downloading updates and a heightened focus on secure software practices. 

Key Insights: 

• FakeUpdates continues to lead as one of the most used malware types, delivered through fake update prompts. 

• This malware is often disguised as legitimate updates, compromising systems and exfiltrating data. 

• Users should avoid downloading updates from unverified sources and ensure they only install software from trusted vendors. 

Further Reading: Checkpoint Blog 

Using Genuine Business Domains and Legitimate Services to Harvest Credentials 

Cybercriminals are increasingly using legitimate business domains and services to conduct credential harvesting attacks. By spoofing well-known companies and mimicking their email communications, attackers deceive users into providing their login information. These tactics often involve using business-looking email addresses and phishing links that lead to fake login pages. This trend underscores the need for businesses and consumers to be cautious when interacting with unsolicited messages. 

Key Insights: 

• Phishing attacks are increasingly using trusted business domains and services to trick users into disclosing credentials. 

• Attackers mimic legitimate emails to create fake login pages that steal sensitive information. 

• Users should be cautious of unsolicited messages and verify the authenticity of any login requests by visiting official websites directly. 

Further Reading: KnowBe4 Blog 

Protect Your Data: Russian Spear-Phishing Targets Microsoft 365 Accounts 

A new spear-phishing campaign linked to Russian threat actors is targeting Microsoft 365 users. The attackers use highly customized phishing emails that appear legitimate, aiming to steal login credentials and gain unauthorized access to sensitive information. With Microsoft 365 being a prime target, organizations should enhance their security by training users to recognize phishing attempts and implementing advanced security measures, including multi-factor authentication. 

Key Insights: 

• Russian threat actors are targeting Microsoft 365 accounts using personalized spear-phishing emails. 

• These attacks aim to steal credentials, putting sensitive data at risk. 

• Organizations should deploy multi-factor authentication and conduct regular security awareness training to protect against these threats. 

Further Reading: KnowBe4 Blog 

New Xerox Printer Flaws Could Let Attackers Capture Windows Active Directory Credentials 

Critical vulnerabilities have been found in Xerox VersaLink printers, allowing attackers to potentially capture Windows Active Directory credentials via pass-back attacks. These flaws, affecting firmware versions 57.69.91 and earlier, enable attackers to manipulate printer configurations and redirect authentication credentials. Successful exploitation could allow lateral movement within an organization's network, compromising servers and file systems. Immediate patching and enhanced security measures, such as strong admin passwords and disabling remote access, are advised. 

Key Insights: 

• Xerox VersaLink printers are vulnerable to attacks that can capture Windows Active Directory credentials. 

• Exploiting these vulnerabilities requires physical or remote access to the printer's control interface. 

• Organizations should patch printers immediately, enforce strong passwords, and limit access to vulnerable settings. 

Further Reading: The Hacker News 

ClickFix vs. Traditional Download in New DarkGate Campaign 

A new malvertising campaign has been observed using two different methods to deliver the DarkGate malware: the ClickFix technique and traditional file downloads. The ClickFix method involves a fake CAPTCHA-like page that tricks users into executing a malicious command, while the traditional approach uses a fake software download disguised as a legitimate app. Both methods ultimately deliver the DarkGate malware, highlighting the adaptability of threat actors in refining delivery techniques. 

Key Insights: 

• The ClickFix method tricks users into running malicious code by mimicking a CAPTCHA process. 

• The traditional download method uses fake installers to distribute malware. 

• Both methods successfully deliver DarkGate, with the ClickFix technique possibly yielding higher success rates. 

Further Reading: Malwarebytes 

Russian Phishing Campaigns Exploit Signal's Device-Linking Feature 

Russian phishing campaigns are exploiting the device-linking feature of the Signal messaging app to compromise user accounts. Attackers use malicious QR codes to trick targets into linking their Signal account to an attacker-controlled device, allowing them to monitor private conversations without fully compromising the target's device. This method has been observed in both large-scale campaigns and targeted attacks, especially against military personnel and high-value targets. 

Key Insights: 

• Attackers use malicious QR codes to link Signal accounts to their devices, enabling undetected access to encrypted communications. 

• These phishing techniques often involve impersonating legitimate resources, such as group invitations or app instructions. 

• Signal users are advised to update the app, check linked devices regularly, and enable two-factor authentication for added protection. 

Further Reading: BleepingComputer 

Phishing Attack Hides JavaScript Using Invisible Unicode Trick 

A new phishing attack technique is using invisible Unicode characters to hide malicious JavaScript. This approach involves obfuscating binary values within JavaScript payloads by replacing them with invisible Hangul characters, making the script appear empty. When executed, a proxy retrieves and reconstructs the original code. The attack is particularly difficult to detect, as it uses anti-debugging techniques and avoids triggering security scanners by exploiting whitespace. The campaign targets affiliates of a political action committee, employing highly personalized tactics. 

Key Insights: 

• The phishing attack uses invisible Unicode characters to obfuscate JavaScript payloads, making detection more challenging. 

• Anti-debugging techniques are employed to avoid analysis and redirect attackers if they detect delays in execution. 

• The attack is highly personalized and can evade security scanners by using empty spaces and encoding methods. 

Further Reading: BleepingComputer 

New Facebook Copyright Infringement Phishing Campaign 

A new phishing campaign has been detected targeting Facebook users with fake copyright infringement notices. The attackers use deceptive emails that appear to come from Facebook, claiming that users have violated copyright laws. The emails contain links to fake Facebook pages that prompt users to enter personal information, including passwords. This campaign highlights the ongoing threat of phishing attacks that impersonate trusted platforms like Facebook. 

Key Insights: 

• The phishing emails mimic Facebook's notifications about copyright violations to trick users into sharing sensitive data. 

• Victims are directed to fake pages designed to capture their credentials. 

• Users should be cautious about unsolicited emails and verify the authenticity of any official communications by visiting Facebook directly. 

Further Reading: Check Point Blog 

University Site Cloned to Evade Ad Detection, Distributes Fake Cisco Installer 

A recent malicious campaign involved cloning a German university website to evade ad detection, distributing a fake Cisco AnyConnect installer. The attackers leveraged a Google ad to direct users to a fraudulent site designed to mimic a legitimate university page, with the goal of deploying the NetSupport RAT. The malware, disguised as a Cisco update, was signed with a valid certificate and allowed attackers to remotely access infected systems. 

Key Insights: 

• Attackers cloned a university website to evade detection, delivering a fake Cisco installer via a Google ad. 

• The malware, NetSupport RAT, was hidden in a digitally signed installer and granted remote access to attackers. 

• Users should exercise caution when downloading software, especially from sponsored ads, and verify the authenticity of the source. 

Further Reading: Malwarebytes 

How Hunting for Vulnerable Drivers Unraveled a Widespread Attack 

An investigation into vulnerable drivers revealed a widespread attack exploiting these weaknesses to gain unauthorized access. Attackers used outdated or unpatched drivers to deploy malware and maintain persistence within compromised systems, bypassing traditional security measures. This emphasizes the need for regular updates and comprehensive vulnerability management to safeguard against such threats. 

Key Insights: 

• Attackers exploited outdated drivers to gain system access and deploy malware. 

• The attack allowed persistent control over systems, evading detection. 

• Regular driver updates and vulnerability assessments are crucial for preventing similar attacks. 

Further Reading: Check Point Blog 

2024 Account Takeover Statistics 

Proofpoint’s latest research highlights the alarming prevalence of account takeover (ATO) attacks, which are now among the most common cyberattack types. These attacks involve threat actors gaining control of legitimate user accounts to execute malicious activities, including data breaches and fraud. The findings underscore the importance of strong authentication and continuous monitoring to prevent unauthorized access and protect sensitive data. 

Key Insights: 

• ATO attacks remain a leading threat, with significant consequences for organizations and users. 

• Gaining access to legitimate accounts allows attackers to bypass security measures and execute more damaging attacks. 

• Organizations should prioritize multi-factor authentication and robust monitoring to mitigate ATO risks. 

Further Reading: Proofpoint 

DeepSeek Lure Used to Spread Malware 

A new DeepSeek campaign uses CAPTCHA-like pages to distribute malware. Attackers use fake CAPTCHA challenges to lure users into executing malicious code, evading detection by appearing harmless. The campaign primarily targets users who are tricked into downloading and running the malware. This attack illustrates how cybercriminals are exploiting popular web features to deliver malicious payloads. 

Key Insights: 

• The malware is delivered through fake CAPTCHA-like pages, making it seem legitimate. 

• Attackers use this method to bypass security filters and trick users into downloading harmful software. 

• Regular security updates and cautious behavior when interacting with unfamiliar websites can help mitigate such threats. 

Further Reading: Zscaler Blog 

Botnet Targets Basic Auth in Microsoft 365 Password Spray Attacks 

A large botnet, consisting of over 130,000 compromised devices, is conducting password-spray attacks against Microsoft 365 accounts. The attackers are using Basic Authentication to evade Multi-Factor Authentication (MFA) protections, exploiting plaintext credentials to access accounts without triggering alerts. This method targets accounts with weak or leaked passwords and bypasses security measures that typically protect interactive sign-ins. Organizations are urged to disable Basic Auth, enforce MFA, and implement Conditional Access Policies (CAP) to protect against these attacks. 

Key Insights: 

• The botnet targets Basic Authentication to bypass MFA and gain unauthorized access. 

• Attackers use stolen credentials to conduct widespread password-spray attacks on Microsoft 365 accounts. 

• Disabling Basic Auth and enabling MFA are critical defenses against this type of attack. 

Further Reading: BleepingComputer 

New Undetectable Batch Script Uses PowerShell and Visual Basic to Install XWorm 

A new undetectable malware campaign uses a highly obfuscated Batch script to deliver the XWorm RAT or AsyncRAT. The script employs PowerShell and Visual Basic Script (VBS) to bypass security tools and download the malware. Once executed, the script establishes persistence and exfiltrates data via Telegram’s API. This campaign marks a significant evolution in fileless attacks, leveraging AI-generated code and cloud-based C2 to evade detection. 

Key Insights: 

• The malware uses a Batch script, PowerShell, and VBS to download XWorm or AsyncRAT. 

• Obfuscation and environmental checks make the attack difficult to detect by security tools. 

• Telegram’s API is used to exfiltrate system data, blending malicious traffic with legitimate communications. 

• AI tools may have assisted in generating the code, increasing sophistication and evasion tactics. 

Further Reading: GBHackers 

Chinese Hackers Target Hospitals by Spoofing Medical Software 

A new phishing campaign has been discovered where Chinese hackers are targeting hospitals by spoofing medical software, including fake updates for health-related applications. The hackers use these fake updates to deliver malware, gaining access to sensitive healthcare data. Hospitals and healthcare organizations are urged to be cautious of unsolicited software updates and to ensure they are obtaining updates from official sources. 

Key Insights: 

• Attackers are spoofing medical software updates to distribute malware in healthcare organizations. 

• The campaign targets sensitive healthcare data, with phishing emails disguised as software updates. 

• Healthcare organizations should verify software updates and ensure they come from trusted sources. 

Further Reading: KnowBe4 Blog 

GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready? 

The 2025 Mass Internet Exploitation Report reveals a dramatic increase in the speed and scale of cyberattacks, with attackers exploiting vulnerabilities faster than security teams can respond. In 2024, automated exploitation of known vulnerabilities was rampant, with legacy flaws from as far back as the 1990s being targeted alongside new threats. The most commonly exploited vulnerabilities were in home routers and IoT devices, which are often overlooked in traditional security strategies. To stay ahead of this rapidly evolving threat, executives must prioritize real-time intelligence and adapt patching and defense strategies to address both old and new vulnerabilities. 

Key Insights: 

• Attackers are automating vulnerability exploitation, surpassing traditional patching strategies. 

• Legacy vulnerabilities are still prime targets, with some dating back decades. 

• Ransomware groups are using mass exploitation to gain access, making real-time threat intelligence a necessity for effective defense. 

Further Reading: GreyNoise 

Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock 

BlackLock, a rapidly rising ransomware-as-a-service (RaaS) operator, has gained prominence for its custom malware and unique data-leak tactics. By Q4 2024, it had become the seventh most active ransomware group, using double extortion to encrypt data and steal sensitive information. BlackLock’s sophisticated leak site and the rapid expansion of its affiliate network via the Russian-language RAMP forum highlight its threat to organizations globally. Executives should prioritize enhancing defense strategies against evolving ransomware threats, including securing third-party access and increasing employee awareness about spear-phishing tactics. 

Key Insights: 

• Custom malware and bespoke ransomware distinguish BlackLock from competitors, making it harder for security tools to detect and defend against. 

• The data-leak site uses unique tricks to pressure victims into paying ransoms before assessing the full scope of the breach. 

• BlackLock’s growing influence on the RAMP forum indicates a well-established network that supports its global ransomware activities. 

Further Reading: ReliaQuest 

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal 

Black Basta and Cactus ransomware groups have expanded their attack methods by incorporating BackConnect malware. This malware creates an outbound connection, which enables attackers to remotely control compromised systems, bypassing security measures designed to block inbound attacks. By integrating BackConnect into their operations, these groups can maintain access to systems even after initial detection, facilitating long-term exploitation. Organizations must strengthen defenses to detect and block this new tactic and limit the potential damage. 

Key Insights: 

• BackConnect malware allows attackers to maintain persistent access through outbound connections. 

• This technique enables ransomware groups to bypass detection and continue exploiting compromised systems. 

• Organizations should improve detection capabilities to identify and block BackConnect traffic. 

Further Reading: Trend Micro 

Scammers Mailing Ransom Letters While Posing as BianLian Ransomware 

A new scam has emerged where fraudsters are mailing fake ransom letters to businesses, posing as the notorious BianLian ransomware group. The letters, claiming to be from BianLian, demand large Bitcoin ransoms, threatening to release sensitive data if payment is not made within 10 days. However, cybersecurity experts quickly identified multiple red flags: inconsistencies in the language, uncharacteristic delivery via physical mail, and no evidence of data breaches. This scheme aims to exploit the fear and reputation of a known ransomware group for financial gain. 

Key Insights: 

• Scammers are impersonating BianLian ransomware to demand Bitcoin payments via physical mail. 

• The letters use fear tactics, mimicking legitimate ransomware practices, but with numerous inconsistencies. 

• Organizations should educate employees on recognizing such scams and ensure cybersecurity defenses are up to date. 

Further Reading: HackRead