< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1641 articles · page 27 of 83

ClickFix Lures Evolve to Deploy New In‑Memory Infostealers

🔒 Researchers warn that criminals have scaled ClickFix social-engineering lures to deliver sophisticated, fileless infostealers via compromised WordPress sites. Rapid7 observed a campaign active since December 2025 that leveraged fake Cloudflare CAPTCHA prompts across more than 250 WordPress domains in 12 countries to trick victims into running obfuscated commands. The chain deploys an in-memory loader called DoubleDonut that injects payloads into legitimate Windows processes, and analysts also observed novel .NET and C++ stealers alongside a new Vidar variant. Microsoft noted a separate campaign that pivots from the Run dialog to Windows Terminal for execution.
read more →

New ClickFix Variant Uses WebDAV and Trojanized Electron App

🔎 Atos researchers disclosed a ClickFix variation that leverages the Run dialog to execute a 'net use' command, map a remote WebDAV share, and run a hosted batch file. The chain downloads a ZIP that unpacks a trojanized WorkFlowy Electron app whose app.asar contains an obfuscated main.js acting as a persistent C2 beacon and dropper. The campaign evaded Microsoft Defender for Endpoint and was detected through targeted hunting of RunMRU registry activity.
read more →

Hybrid Resilience: Incident Response Across Mixed Stacks

🔁 This article prescribes an operational model for predictable incident response across mixed on‑prem, cloud and SaaS environments. It argues for a shared incident language — a compact contract of rules and artifacts (severity by customer impact, one hypothesis, one timeline, named owners) — enforced via a single incident channel with an incident commander and domain leads. The author recommends portable telemetry in three layers: user journeys as the court of record, cross‑environment correlation IDs and strict clock discipline, plus a single change table. Practical escalation engineering (one‑page provider cards, time to human targets and a rollback/failover decision matrix) closes vendor and operations gaps.
read more →

Reflections on Diversity, Threats, and Cyber Guidance

🔒The author opens this week’s Threat Source newsletter with personal reflections on being raised by a single mother, connecting those experiences to the gender imbalance in STEM and cybersecurity. He cites sobering statistics — for example, women comprise 28.2% of the global STEM workforce and occupy only 16% of CISO roles — and highlights mentorship programs like WiCyS and CTFs. Talos also summarizes a March 10 update on cyber activity tied to the Middle East conflict and provides practical defensive advice for destructive malware, DDoS, and website defacement.
read more →

Rust-based VENON banking malware targets 33 banks in Brazil

🛡️ Brazilian cybersecurity firm ZenoX disclosed a Rust-based banking trojan named VENON that targets Windows users and 33 financial and digital-asset platforms. The threat chain uses DLL side-loading and a PowerShell-delivered ZIP to drop a malicious DLL that performs nine evasion techniques (anti-sandbox checks, indirect syscalls, ETW and AMSI bypasses) before executing payloads. VENON fetches configuration from Google Cloud Storage, installs a scheduled task, and connects to a WebSocket C2 while employing banking overlays, active window monitoring, and an Itaú-specific LNK hijack implemented via embedded VBS; it also supports a remote uninstall to restore altered shortcuts. ZenoX noted the Rust code reflects knowledge of Latin American trojans and appears to have been rewritten or expanded with the aid of generative AI.
read more →

Fake AI Agent Ads Deliver AMOS and Amatera Infostealers

🔒 Kaspersky researchers uncovered malicious Google Search ads that mimic documentation for popular AI assistants (for example, Claude Code, OpenClaw and Doubao) to trick users into running installer commands. The fake guides prompt victims to execute commands that deploy AMOS on macOS (via curl) or the Amatera infostealer on Windows (via mshta.exe), which exfiltrates browser data, crypto-wallets and files to a remote server. Organizations should warn staff, centrally manage access to AI tools and maintain endpoint protections.
read more →

Cyber fallout from Iran conflict: risks and defenses

🔒 The war in the Middle East has expanded cyber risk globally, from physical strikes on AWS data centers to waves of Iran-aligned cyber activity. Within hours of kinetic operations, hacktivists and state-aligned APTs mobilized, using DDoS, defacement, wipers and supply-chain compromises. Organizations should prioritize inventorying internet-facing assets, enforcing phishing-resistant MFA, auditing MSP and cloud dependencies, and preparing offline backups. The guidance focuses on pragmatic hardening where adversaries historically find weak spots.
read more →

Travel Rewards Become Commoditized in Underground Markets

✈️ Flare researchers found that airline miles and hotel points are being treated as commodities in underground markets, where stolen loyalty accounts are traded, redeemed for legitimate bookings, and resold at discounts. Actors post inventory-style listings in messaging groups, often advertising full email access to reduce recovery chances. Observed pricing averaged roughly $1 per 1,000 miles, and major programs were favored for liquidity and resale value. The fraud chain typically follows a four-stage cycle from account takeover to resale.
read more →

Scaling Phishing Detection for Modern Enterprise SOCs

🔐 Modern phishing increasingly hides behind legitimate infrastructure and encrypted HTTPS, making static checks insufficient. The piece recommends a three-part investigation model — safe interaction, automation, and in-sandbox SSL decryption — so SOCs can observe full attack flows, extract actionable IOCs, and reach evidence-based verdicts quickly. This approach reduces analyst load and helps detect identity-driven compromise earlier.
read more →

ThreatsDay: OAuth Consent Abuse, EDR Bypass & More

🔒 Multiple vendors and researchers this week disclosed a broad set of active threats spanning cloud environments, endpoints, and messaging platforms. OAuth consent abuse campaigns impersonated trusted apps to harvest tokens and access mail and files without passwords, while the BlackSanta campaign used resume-themed ISOs to chain DLL side‑loading and disable AV/EDR via vulnerable drivers. Other notable items include microcontroller debug bypasses, ZIP header evasion that defeats some AV/EDR tools, an AI-agent compromise of an internal platform, and targeted phishing against Signal and WhatsApp users.
read more →

North Korean Fake IT Worker Tradecraft Revealed 2026

🔍 GitLab research outlines a North Korean campaign that impersonated recruiters in the 'Contagious Interview' scheme and resulted in the banning of 131 attributed accounts. Many GitLab projects served as obfuscated loaders for malware such as BeaverTail and Ottercookie, with payloads hosted outside repositories. Operators used consumer VPNs, VPSs and laptop farms and shifted to invite-only projects, NPM dependency abuse, sandbox detection and AI-generated personas to scale fake IT worker and freelance scams.
read more →

Contagious Interview Campaign: Malware via Fake Interviews

🔒 Microsoft Defender Experts describe the Contagious Interview campaign, a long-running social engineering operation that delivers malware through staged developer recruitment processes. Threat actors pose as recruiters and persuade victims to clone and execute NPM packages or to trust repository tasks in Visual Studio Code that then fetch backdoors such as Invisible Ferret and FlexibleFerret. The operation targets developer endpoints, source-control credentials, and CI/CD access by weaponizing trusted hiring workflows. Microsoft recommends isolating coding tests, pre-reviewing recruiter repositories, restricting runtimes, protecting secrets, and hunting for editor-to-shell execution chains.
read more →

France: ANSSI Reports Fall in Ransomware Attacks 2025

🔒 The French cybersecurity agency ANSSI reported a decrease in known ransomware incidents in 2025, recording 128 attacks versus 141 in 2024. The agency attributed the decline partly to large-scale law enforcement actions and preventive interventions by cyber defenders, including Operation Endgame. Small and medium businesses remained the most targeted, while healthcare and education saw the sharpest increases. Prominent strains included Qilin, Akira and LockBit 3.0/LockBit Black.
read more →

BeatBanker and BTMOB Android trojans: infection tactics

🚨 BeatBanker is a sophisticated Android trojan targeting Brazilian users through counterfeit pages that mimic Google Play and legitimate services such as INSS Reembolso or Starlink. The malware installs in staged downloads, injects encrypted modules into RAM after device and country checks, and avoids analysis by detecting emulators. It deploys a Monero miner that evades power optimizers by playing near‑inaudible audio and uses Accessibility abuse to overlay screens and divert crypto transfers. Users should stick to official stores, scrutinize permissions, and run up‑to‑date anti‑malware.
read more →

Why Zero Trust Fails in IoT and OT: A Linkage Perspective

⚠️ Zero trust principles deliver measurable gains in enterprise IT, but they often miss dominant failure modes in IoT and OT. The author argues that zero trust assumes explicit, identity-centric and continuously enforceable trust, while IoT/OT systems rely on implicit, durable trust relationships and centralized control paths. Adopt the unified linkage model (ULM) to map adjacency, inheritance and trust propagation, and prioritize protection of management planes, firmware update paths and vendor integrations.
read more →

Cyber-Attacks on UK Firms Rise Nearly Fourfold YoY

📈 The February 2026 Check Point Global Threat Intelligence report found UK organisations saw fewer weekly attacks per organisation (1,504) than the global average (2,086), but a 36% year‑on‑year increase — nearly four times the global 9.8% rise. Education, energy & utilities, government, healthcare and financial services were among the most frequently targeted UK sectors. Ransomware remained acute, with 49 active groups and a plurality of victims attributed to Qilin, Clop and The Gentlemen. The report also warned that widespread, unmanaged GenAI use is elevating inadvertent data‑exposure risk, with one in 31 prompts judged high risk.
read more →

Attackers Abusing Cloud Services to Breach Enterprises

🔐 Attackers increasingly leverage trusted cloud platforms and SaaS APIs to blend malicious activity into routine enterprise traffic. Campaigns such as Gridtide and SesameOp demonstrate adversaries using Google Sheets, OpenAI APIs and cloud storage as covert command-and-control and staging vectors. By operating through legitimate identity systems, management consoles, and ephemeral serverless functions, attackers evade network defenses and static blocklists. The result is harder detection, easier credential harvesting, and persistent access across hybrid environments.
read more →

Cloud Threat Horizons: Emerging Cloud Exploitation Risk

⚠️ The Cloud Threat Horizons report from Google Cloud's Office of the CISO warns that AI-assisted exploitation has compressed the window from vulnerability disclosure to active attacks from weeks to days. In H2 2025, third-party software flaws became the leading initial access vector, surpassing weak credentials. The report urges automated defenses, identity-based controls, and tamper-resistant logging to improve forensic readiness.
read more →

Just 24% Test Identity Disaster Recovery Every Six Months

🔐 A global survey by Quest Software of 650 IT and security practitioners found that only 24% of organisations test identity disaster recovery every six months, while 24% never test recovery plans. The report warns many firms focus on preventative controls and detection rather than response and recovery, increasing risk when identity protections fail. Respondents identified gaps in non-human and third-party identities, legacy on-premises systems and privileged accounts. Adoption of ITDR programmes is rising (57%), and 79% believe AI can improve recovery by reducing alert fatigue and correlating signals.
read more →

X Suspended 800M Accounts in 2024; Manipulation Remains

🛡️ X told British MPs it suspended 800 million accounts in 2024 for breaching rules on platform manipulation and spam. Company government affairs executive Wifredo Fernández said Russia was the most active state-backed manipulator, followed by Iran and China, and that efforts to influence elections and 'flood the zone' persist. Despite Elon Musk's prior pledge to purge bots, X acknowledges hundreds of millions of inauthentic accounts are removed annually, raising concerns about uncaught actors and moderation practices.
read more →