All news with #phishing tag

🔍 Dark Atlas has uncovered a growing cluster of fraudulent domains used by the Chinese-speaking Smishing Triad to impersonate major Egyptian and global service providers, including Fawry, Egypt Post and Careem. Analysts traced malicious infrastructure in AS132203 — linked to Tencent facilities — after examining HTTP headers and running targeted Shodan searches, which revealed additional spoofed pages for brands such as UnionPay and TikTok. The group advertises a configurable smishing kit on Telegram that automates deployment of multilingual phishing templates for delivery, telecom, government and payment services worldwide.

⚠️ Cybersecurity researchers report a JackFix campaign that uses fake Windows Update pop-ups on cloned adult sites to trick users into running mshta.exe and PowerShell commands. According to Acronis and Huntress, the attack chain leverages obfuscation, privilege escalation and can deploy multiple stealers including Rhadamanthys, RedLine and Vidar. Organizations are advised to train users and consider disabling the Windows Run box via Group Policy or Registry changes to reduce risk.

🛡️ Unit 42 examines the growing threat of malicious large language models that have been intentionally stripped of safety controls and repackaged for criminal use. These tools — exemplified by WormGPT and KawaiiGPT — generate persuasive phishing, credential-harvesting lures, polymorphic malware scaffolding, and end-to-end extortion workflows. Their distribution ranges from paid subscriptions and source-code sales to free GitHub deployments and Telegram promotion. The report urges stronger alignment, regulation, and defensive resilience and offers Unit 42 incident response and AI assessment services.

🔒 Researchers warn of ClickFix attack variants that display a realistic full‑screen fake Windows Update animation in the browser to trick users into pasting commands that execute malware. Operators use steganography to hide AES‑encrypted shellcode inside PNG pixel data and leverage mshta, PowerShell, and a .NET Stego Loader to reconstruct and run payloads. Huntress observed delivery of LummaC2 and Rhadamanthys info stealers and a dynamic evasion ctrampoline technique to hinder analysis. A law enforcement takedown in November disrupted payload delivery on some fake update domains.

📞Harvard University disclosed that systems used by Alumni Affairs and Development were accessed in a phone‑based phishing attack discovered on November 18, 2025. Exposed information includes email addresses, phone numbers, home and business addresses, event attendance records, donation details, and biographical data for alumni, donors, some students, faculty and staff. The university stated the compromised systems did not contain Social Security numbers, passwords, payment card data, or financial account information. Harvard sent notifications on November 22 and is working with law enforcement and third‑party cybersecurity experts to investigate and remediate the incident.

📱 CISA warns that multiple cyber threat actors are actively using commercial spyware to target users of mobile messaging applications. These actors employ phishing, malicious device-linking QR codes, zero-click exploits, and impersonation of platforms such as Signal and WhatsApp to gain unauthorized access and deploy additional malicious payloads. CISA urges users to review updated mobile communications guidance and mitigations to reduce spyware risk.

🔔 Matrix Push C2 is a browser-native, fileless C2 platform that leverages web push notifications, fake alerts, and link redirects to distribute phishing links across operating systems. Attackers social-engineer users into allowing notifications on malicious or compromised sites, then send branded, OS-like alerts with action buttons that redirect victims to fraudulent landing pages. Sold as a MaaS kit via Telegram and cybercrime forums, it includes a web dashboard, analytics, URL shortening, configurable templates (e.g., MetaMask, Netflix, PayPal), and tiered crypto-paid subscriptions.

⚠️ Criminal networks are exploiting shortages of GLP-1 drugs like Ozempic, Wegovy and Mounjaro, using AI to generate convincing counterfeit websites, emails and documents that impersonate regulators and health services across Europe. They are hijacking the identities of the NHS, AEMPS, ANSM, BfArM and AIFA to market fake weight-loss products and harvest payments. Check Point Research documents the tactics, scale and public-safety implications of this rapidly evolving scam epidemic.

🔔 BlackFrog has identified a new command-and-control platform, Matrix Push C2, that abuses browser push notifications to deliver phishing and malware. The campaign social-engineers users into allowing notifications and then issues realistic system-style alerts that redirect victims to malicious sites. Described as fileless, the technique leverages the browser notification channel rather than an initial executable. The platform includes a web dashboard with real-time client visibility, analytics and templates impersonating services like MetaMask, Netflix and PayPal.

🛡️ Avast has integrated its new AI-powered Scam Guardian into Avast Free Antivirus, offering free, continuous protection against increasingly sophisticated, AI-enhanced scams worldwide. The feature analyzes website content, code, links, SMS and email context to flag deceptive intent and neutralize hidden threats. A premium Scam Guardian Pro in Avast Premium Security adds an Email Guard for contextual email scanning across devices. The rollout aims to democratize AI-based scam defense and give users clear, actionable guidance.

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.

🛡️ Researchers report that the Sneaky2FA phishing-as-a-service kit now includes browser-in-the-browser (BITB) functionality that lets attackers embed a fake browser window with a customizable URL bar to mimic legitimate sites such as Microsoft. The iframe-backed pop-up captures credentials and MFA codes in real time, enabling attackers to hijack active sessions. This change lowers the skill threshold for criminals and undermines many signature-based defenses, prompting calls for updated training and stronger browser configurations.

🔍 Google filed a court complaint alleging a "cybercriminal group in China" sold branded "Lighthouse" phishing kits that let unsophisticated fraudsters run large-scale SMS and e-commerce scams. The kits bundle hundreds of fake-website templates, domain setup tools, and subscription licenses offered weekly, monthly, seasonal, annual, or permanent. Campaigns often begin with texts about overdue tolls or package redelivery and sometimes appear as ads (including ads that persisted until Google suspended accounts). Victims who click are redirected to fraudulent sites that solicit passwords, credit card numbers, or payments purportedly accepted via wallets such as Google Pay.

🔒 Check Point Research reports a significant increase in Black Friday–themed domain registrations, with about 1 in 11 newly registered domains classified as malicious. Brand impersonation is a primary tactic: roughly 1 in 25 new domains referencing marketplaces like Amazon, AliExpress, and Alibaba are flagged. Attackers create convincing fake storefronts that copy logos, layouts, and imagery to harvest credentials and payment data, with recent campaigns impersonating HOKA and AliExpress demonstrating active phishing tied to seasonal promotions.

🔒 CTM360 reports a large-scale campaign, dubbed HackOnChat, that deploys deceptive web portals and impersonation pages to compromise WhatsApp accounts worldwide. Attackers rapidly create thousands of malicious URLs on inexpensive domains and web-building platforms, luring users with fake security alerts and lookalike login pages. Once accounts are taken, they are abused to defraud contacts, harvest sensitive data, and expand the scam.

🔒 Sneaky2FA has integrated a Browser-in-the-Browser (BitB) pop-up that impersonates Microsoft sign-in windows and adapts to the victim’s OS and browser. Used alongside its existing SVG-based and attacker-in-the-middle (AitM) proxying, the BitB layer renders a fake URL bar and loads a reverse-proxy Microsoft login to capture credentials and active session tokens, enabling access even when 2FA is active. The kit also employs heavy obfuscation and conditional loading to evade analysis.

🔒 Push Security says the Sneaky 2FA Phishing-as-a-Service kit now leverages Browser-in-the-Browser (BitB) pop-ups to impersonate Microsoft login pages and conceal malicious URLs. Victims first pass a Cloudflare Turnstile bot check before a fake "Sign in with Microsoft" flow is loaded in an embedded BitB window that exfiltrates credentials and session data. The campaign pairs conditional loading, developer‑tool blocking, obfuscation, and rapid domain rotation; organizations should tighten conditional access and users should avoid unknown links and browser extensions.

🔐 The Tycoon 2FA phishing kit is a turnkey, scalable Phishing-as-a-Service that automates real-time credential and MFA relay attacks against Microsoft 365 and Gmail. It provisions fake login pages and reverse proxies, intercepts usernames, passwords and session cookies, then proxies the MFA flow so victims unknowingly authenticate attackers. The kit includes obfuscation, compression, bot-filtering, CAPTCHA and debugger checks to evade detection and only reveals full behavior to human targets. Organizations are urged to adopt FIDO2-based, hardware-backed biometric and domain-bound authentication to prevent such relay attacks.

🔐 Tycoon 2FA is a turnkey phishing kit that automates real-time MFA relays, enabling attackers to capture credentials, session cookies, and live authentication flows for Microsoft 365 and Gmail. It requires no coding skill, includes layered evasion (obfuscation, compression, bot filtering and debugger checks), and proxies MFA prompts so victims unknowingly authenticate attackers. The result undermines SMS, TOTP and push methods and can enable full session takeover. The article urges migration to phishing-resistant FIDO2 hardware and domain-bound biometric authenticators.

🛡️ Mandiant has linked suspected Iranian espionage actors to a sustained campaign by UNC1549 that deployed backdoors such as TWOSTROKE and DEEPROOT against aerospace, aviation, and defense organizations in the Middle East. Operating from late 2023 through 2025, the group abused trusted third parties and VDI sessions to pivot into customer environments and leveraged highly targeted, role‑relevant phishing. Observed operations combined credential theft, lateral movement, custom tunnellers and credential‑stealing utilities to execute long‑term reconnaissance and data exfiltration.