All news with #data exfil via tools tag

Watering-Hole Campaign Deploys ScanBox Keylogger Nearby

🕵️ A China-linked actor, assessed as APT TA423 (Red Ladon), used targeted phishing and watering-hole pages to serve the ScanBox JavaScript reconnaissance framework to Australian domestic organizations and offshore energy firms between April and mid‑June 2022. The injected script acts as a browser-based keylogger and conducts extensive fingerprinting, enumerating OS, plugins, extensions, WebRTC and Flash. ScanBox further leverages STUN and ICE via WebRTC to establish peer connections and reach hosts behind NAT, enabling covert collection of typed data without writing malware to disk. Proofpoint and PwC researchers link the campaign to TA423 and note its likely intelligence focus on regional maritime and naval activity.

Fake Reservation Links Target Travel and Hospitality Industry

✈️ A longtime threat group tracked as TA558 has resumed phishing campaigns that spoof hotel or reservation notices to lure travelers into downloading malware. Campaigns increasingly deliver ISO and RAR container files via URLs that, when decompressed, execute batch scripts and PowerShell helpers to fetch RATs such as AsyncRAT. TA558 has shifted from macro-laden Office documents to containerized attachments after Microsoft limited macros. Travel organizations and customers should be wary of unexpected reservation emails and avoid opening unknown archives.