All news with #phishing attachment tag

🔒 Positive Technologies reports that the UnsolicitedBooker cluster has shifted from Saudi targets to telecommunications firms in Kyrgyzstan and Tajikistan, deploying two backdoors named LuciDoor and MarsSnake. The intrusions relied on phishing with malicious Microsoft Office documents that prompt users to enable macros, dropping C++ loaders (LuciLoad and MarsSnakeLoader) to deploy the payloads. In some cases attackers used LNK-based chains, hacked routers for C2, and infrastructure mimicking Russian systems while leveraging rare tools of Chinese origin.

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.

📄 PDF files are a ubiquitous, convenient format that cybercriminals increasingly abuse as lures, with ESET telemetry placing PDFs among the top malicious attachment types. Attack techniques include embedded scripts, hidden links, malformed objects that exploit reader vulnerabilities, and files that merely masquerade as .pdf while actually being executables or archives. Verify sender context, enable Protected View or sandboxing, consider disabling JavaScript in your PDF reader, and scan or sandbox suspicious attachments before opening; when in doubt, confirm via a separate channel.

🛡️ A recent campaign in Latin America leverages oversized SVG image attachments to deliver AsyncRAT by embedding the entire malicious payload inside the XML. Victims receive convincing, urgent emails impersonating judicial services, and interacting with the >10MB SVG loads a fake portal that triggers a password-protected ZIP download containing an executable and a DLL-sideloaded payload. ESET telemetry highlights a spike in activity, notably affecting Colombia, while attackers appear to use AI to generate unique, randomized SVGs to evade detection.

🔍 Netcraft reports that the PhaaS platforms Lucid and Lighthouse are linked to more than 17,500 phishing domains impersonating 316 brands across 74 countries. Lucid, first documented by PRODAFT in April, supports smishing via Apple iMessage and RCS and is tied to the Chinese-speaking XinXin group. Both services offer customizable templates, real-time victim monitoring, and granular targeting controls (User-Agent, proxy country, configured paths) that restrict access to intended victims. Lighthouse subscriptions run from $88 per week to $1,588 per year, underscoring the commercial scale of these offerings.