All news with #adversary in the middle tag

🛡️ A Europol-led coalition of law enforcement and private cybersecurity firms dismantled Tycoon 2FA, a subscription-based phishing-as-a-service toolkit that enabled adversary-in-the-middle credential and session harvesting at scale. The platform provided a web console for crafting campaigns, harvesting passwords, MFA codes and session cookies, and forwarding stolen data to Telegram for near-real-time monitoring. Authorities seized 330 domains and disrupted infrastructure that generated tens of millions of phishing emails per month, affecting organizations worldwide.

🔎 Tycoon2FA emerged in August 2023 as a phishing-as-a-service platform that provided adversary-in-the-middle (AiTM) capabilities to relay authentication flows and capture session cookies. Its web-based admin panel centralized templates, redirects, hosting, CAPTCHA, and exfiltration controls while exposing real-time metrics. Fast-moving short-lived domains, Cloudflare hosting, and heavy obfuscation let low-skill operators run scalable campaigns against MFA-protected accounts worldwide.

🛡️ Microsoft and Europol, supported by industry partners, seized infrastructure linked to the phishing-as-a-service operator Tycoon2FA, removing over 300 domains used in large-scale MFA-bypass campaigns. The PhaaS offering used adversary-in-the-middle techniques to intercept live authentication sessions and capture credentials, one‑time passcodes and session cookies in real time. Investigators say Tycoon2FA had roughly 2,000 users and leveraged more than 24,000 domains since launching in August 2023. Security firms recommend adopting phishing‑resistant authentication, strict conditional access and advanced email protections.

🔒 Cybersecurity researchers disclosed Starkiller, a commercial phishing suite marketed by a group calling itself Jinkusu that proxies legitimate login pages to bypass multi-factor authentication. The platform launches a headless Chrome instance inside a Docker container and acts as an AitM reverse proxy, relaying keystrokes, form submissions and session tokens. Abnormal warns the toolkit centralizes deployment, URL masking and session monitoring to give low-skill criminals effective MFA-bypass capabilities at scale.

🛡️ Cisco Talos researchers describe DKnife as an ELF-based Linux toolkit used since 2019 to hijack router traffic and perform adversary-in-the-middle operations. The framework has seven modules — including yitiji.bin to create a bridged TAP interface and mmdown.bin to drop malicious APKs — enabling DPI, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus. Talos attributes the activity to a China-nexus actor and noted C2 servers remained active as of January 2026.

🔍 Cisco Talos researchers uncovered DKnife, a Linux-based gateway-monitoring and adversary-in-the-middle framework used since at least 2019 and active through January 2026. The toolkit targets routers and edge devices running CentOS/Red Hat Enterprise Linux, using seven ELF components to perform DPI, traffic interception, DNS hijacking and in-line substitution of Android and Windows downloads. Talos attributes the framework with high confidence to Chinese-nexus actors and notes overlaps with campaigns delivering WizardNet, DarkNimbus and ShadowPad.

🔒 Cisco Talos researchers disclosed DKnife, a modular Linux-based adversary-in-the-middle (AitM) framework used by China-linked actors since at least 2019. The toolkit deploys seven router-focused implants to perform deep packet inspection, TLS termination, DNS and update hijacking, credential harvesting, and malware delivery via intercepted APKs and binary replacement. Operators used DKnife to push ShadowPad and DarkNimbus variants and to target Chinese-language services and app updates through compromised routers and edge devices.

🔍 Cisco Talos disclosed DKnife, a modular Linux-based gateway monitoring and adversary-in-the-middle (AitM) framework that inspects, manipulates, and redirects network traffic on edge devices and routers. It comprises seven ELF components that hijack DNS, Android app updates, and Windows binary downloads to deliver ShadowPad, DarkNimbus, and other backdoors while harvesting credentials and disrupting security-product traffic. Artifacts and Simplified Chinese strings strongly indicate China-nexus operators; Talos observed active C2 infrastructure as of January 2026.

🔒 Microsoft warns of a multi-stage adversary-in-the-middle (AitM) phishing and BEC campaign targeting the energy sector. The attackers abused SharePoint file-sharing and legitimate trusted addresses (a living-off-trusted-sites, LOTS, technique) to deliver credential-harvesting links, then used stolen session cookies and inbox rules to persist and hide activity. Microsoft says simple password resets are insufficient; organizations must revoke sessions, remove malicious rules, and enforce phishing-resistant controls.

🔒 Microsoft Defender researchers uncovered a multi‑stage AiTM phishing and BEC campaign that abused SharePoint file‑sharing to deliver credential‑harvesting traps and maintain persistence by creating malicious inbox rules. Attackers used trusted vendor‑style lures and legitimate SharePoint redirects to capture session cookies or credentials, then expanded the campaign across energy sector organizations by sending more than 600 phishing messages from compromised accounts. Defender XDR and Office 365 detections exposed session cookie theft, replay attempts, and malicious inbox rules — remediation requires revoking session cookies, deleting attacker‑created inbox rules, and restoring MFA controls in addition to password resets.

🛡️ Spanish law enforcement arrested 34 individuals in a coordinated operation targeting a criminal network tied to the Black Axe syndicate, with assistance from the Bavarian State Criminal Police Office and Europol. Searches in Seville, Madrid, Malaga, and Barcelona yielded €66,400 in cash, electronic devices, vehicles, and frozen bank accounts totaling €119,350. Authorities say the group specialized in Man-in-the-Middle (MITM) frauds, notably Business Email Compromise, and caused more than $6 million in losses over 15 years, $3.5 million of which relate to this case. Four principal suspects are in pretrial detention and face charges including aggravated continuous fraud, money laundering, and document forgery.

⚠️ Security researchers discovered two malicious Google Chrome extensions named Phantom Shuttle that intercept and exfiltrate credentials and session data from more than 170 targeted domains. After users pay for a subscription the add-ons enable a proxy 'smarty' mode, inject hard-coded proxy credentials, and route selected traffic through attacker-controlled proxies to establish a persistent Man‑in‑the‑Middle position. A recurring heartbeat to a command-and-control server forwards VIP emails, plaintext passwords and version details, enabling continuous monitoring and credential theft.

🔒 Two Chrome extensions in the Web Store, both published as Phantom Shuttle, are malicious plugins that hijack browser traffic and have been active since at least 2017, researchers report. Targeting users in China, the extensions pose as proxy and network-speed tools and prepend obfuscated code to the jQuery library to route requests through attacker-controlled proxies using hardcoded credentials and a PAC script. The plugins dynamically reconfigure Chrome proxy settings and route traffic for over 170 high-value domains, intercepting HTTP authentication challenges to capture form credentials, session cookies and API tokens while excluding local networks and the command-and-control domain to limit detection. At the time of reporting the extensions remained in Chrome's official marketplace; users are advised to install only extensions from reputable publishers and review requested permissions carefully.

📧 Sekoia.io researchers have identified a fresh wave of spear-phishing linked to the Russia-nexus intrusion set Star Blizzard (aka Calisto/ColdRiver) that targeted NGOs including Reporters Without Borders in May–June 2025. Operators impersonated trusted contacts via ProtonMail, using a custom Adversary-in-the-Middle kit to harvest credentials and relay 2FA prompts through compromised sites and redirectors. Observed tactics included a ZIP disguised as a .pdf, decoy encrypted PDFs instructing victims to open files in ProtonDrive, injected JavaScript to lock password-field focus, and an API-driven workflow for handling CAPTCHA and 2FA challenges, underscoring continued risk to Western organizations supporting Ukraine.

🔐 Researchers at Any.Run report a hybrid 2FA-phishing strain that fuses elements of Salty2FA and Tycoon2FA, producing payloads that evade detection rules tuned to either kit alone. The samples begin with Salty-style obfuscation and trampoline JavaScript, then shift into Tycoon’s DGA domains and AiTM execution chain. Analysts warn defenders to focus on behavioral patterns and fallback routines rather than static indicators of compromise.

📅 A targeted phishing campaign uses fake Calendly meeting invitations impersonating recruiters from major brands to harvest Google Workspace and Facebook Business credentials. The lures are professionally crafted—likely produced with AI—and direct victims through a CAPTCHA to an AiTM credential‑harvesting flow capable of bypassing some 2FA protections. Compromised ad manager accounts are then leveraged for malvertising, geo‑targeted attacks, device‑specific campaigns, or resale on illicit markets.

🔒 A 44-year-old man has been sentenced to seven years after pleading guilty to operating “evil twin” Wi‑Fi networks to harvest credentials and intimate images. AFP officers found a Wi‑Fi Pineapple, a laptop and a phone after airline staff reported a suspicious hotspot during a domestic flight. Forensic analysis recovered thousands of images and account credentials, and investigators linked malicious pages to airports and flights. Authorities advised users to disable automatic Wi‑Fi, use a reputable VPN, turn off file sharing and avoid sensitive transactions on public hotspots.

🛡️ A China-aligned group known as PlushDaemon has been observed deploying a previously undocumented network implant, codenamed EdgeStepper, to perform adversary-in-the-middle DNS attacks. ESET researchers found an ELF sample (internally called dns_cheat_v2) that forwards DNS traffic to attacker-controlled nodes, enabling update hijacking. Operators then deploy downloaders LittleDaemon and DaemonLogistics to install espionage backdoors.

🔒 ESET researchers disclosed a Go-based network backdoor dubbed EdgeStepper, used by the China-aligned actor PlushDaemon to reroute DNS queries and enable adversary-in-the-middle (AitM) attacks. EdgeStepper forces update-related DNS lookups to attacker-controlled nodes, delivering a malicious DLL that stages additional components. The chain targets update mechanisms for Chinese applications including Sogou Pinyin and ultimately fetches the SlowStepper backdoor to exfiltrate data.

🛡️ ESET researchers describe how the China-aligned actor PlushDaemon uses a previously undocumented network implant called EdgeStepper to perform adversary-in-the-middle hijacks of software update flows. EdgeStepper, a Go-based MIPS32 implant, redirects DNS traffic to malicious resolvers that reply with IPs of attacker-controlled hijacking nodes, causing legitimate updaters to fetch counterfeit components such as LittleDaemon. The analysis details the implant's AES-CBC encrypted configuration (notably using the GoFrame default key), iptables redirection of UDP/53 to a local port, and the downloader chain (LittleDaemon and DaemonicLogistics) that stages and deploys the SlowStepper backdoor on Windows hosts.