All news with #phishing tag

🔐AI-enabled attacks are rapidly shifting the threat landscape, with cybercriminals using deepfakes, automated phishing, and AI-generated malware to scale operations. According to Foundry's 2025 Security Priorities Study and CSO reporting, autonomous agents can execute full attack chains at machine speed, forcing defenders to adopt AI as a copilot backed by rigorous human oversight. Organizations are prioritizing human risk, verification protocols, and training to counter increasingly convincing AI-driven social engineering.

🔒 Microsoft's 2025 Digital Defense Report finds that most attacks aim to steal data for profit, with extortion and ransomware responsible for over 52% of incidents while espionage accounts for only about 4%. Covering July 2024–June 2025, the report highlights rising use of AI, automation, and off‑the‑shelf tools that enable scalable phishing, malware, and identity theft. Microsoft urges adoption of phishing‑resistant MFA, AI‑driven defenses, and strengthened cross‑sector collaboration to protect critical public services and build resilience.

🛡️ The Microsoft Digital Defense Report 2025 reveals Microsoft systems analyze more than 100 trillion security signals every day and warns that AI now underpins both defense and attack. The report describes adversaries using generative AI to automate phishing, scale social engineering and discover vulnerabilities faster, while autonomous malware adapts tactics in real time. Identity compromise is the leading vector—phishing and social engineering caused 28% of breaches—and although MFA blocks over 99% of unauthorized access attempts, adoption remains uneven. Microsoft urges board-level attention, phishing-resistant MFA, cloud workload mapping and monitoring, intelligence sharing and immediate AI and quantum risk planning.

🔒 LastPass has confirmed it was not breached after detecting a targeted phishing campaign that mimicked its branding. The emails used the subject line "We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security" and came from spoofed senders such as hello@lastpasspulse.blog and hello@lastpassgazette.blog. Links in the messages redirected recipients to phishing sites (lastpassdesktop.com and lastpassgazette.blog), and attackers have also registered lastpassdesktop.app for potential follow-ups. Cloudflare is displaying warnings and LastPass said it is working to have the malicious domains taken down.

🔍 Cyber criminals continue to favor familiar brands, with Microsoft used in 40% of all brand impersonation attempts in Q3 2025, according to Check Point Research’s Brand Phishing Report. Google represented 9% and Apple 6%, and together these tech giants comprised more than half of brand-related phishing activity. The findings highlight persistent targeting of the technology sector and underscore the need for stronger defenses and user awareness.

🔔 This week’s ThreatsDay bulletin highlights a historic U.S. DOJ seizure of roughly $15 billion in cryptocurrency linked to an alleged transnational fraud network, alongside active commodity malware, phishing-as-a-service, and novel abuses of legitimate tools. Notable incidents include the Brazil-distributed Maverick banking trojan spread via a WhatsApp worm, consumer-grade interception of geostationary satellite traffic, and UEFI BombShell flaws enabling bootkit persistence. Priorities: identity resilience, patching, and monitoring of remote-access and cloud services.

🔒 Phishing remains a pervasive threat—IBM attributes roughly 15% of data breaches to these attacks—yet standard training approaches are delivering limited protection. Recent studies cited in the article show annual awareness modules and embedded simulated-phish interventions often fail to change user behavior or secure genuine engagement, with many users closing training pages outright. Security leaders are advised to treat training as one element of a broader risk-reduction strategy that pairs behavioral design, clear escalation steps, measurable metrics, incentives, and technical controls such as two-factor authentication and improved phishing detection.

⚠ The phishing campaign impersonates LastPass and Bitwarden, sending convincing emails claiming breaches and urging users to install a 'more secure' desktop app. The distributed binary installs the legitimate Syncro MSP agent, which then deploys ScreenConnect remote-access software to give attackers persistent control. Cloudflare is blocking the malicious landing pages, and vendors confirm no breaches occurred.

🛡️ Whisper 2FA has emerged as a highly active phishing kit, responsible for almost one million attacks since July 2025, according to Barracuda. The platform leverages AJAX to create a live relay between victims and attackers, repeatedly capturing passwords and MFA codes until a valid token is obtained. Campaigns impersonate services like DocuSign, Adobe and Microsoft 365 and use urgent lures such as invoices or voicemail notices. Rapid evolution, dense obfuscation and anti-debugging measures make detection and analysis increasingly difficult.

🛡️ Google announced six new product protections designed to help users detect and avoid online scams and fraud. Features include Safer links and Key Verifier in Google Messages, Recovery Contacts, and Sign in with Mobile Number to simplify device transfers and account recovery. The company also launched the Be Scam Ready interactive game and expanded education and partnerships focused on older adults and youth. These measures are rolling out globally as part of an ongoing effort to counter evolving threats like deepfakes and voice cloning.

🔒 Google is rolling out multiple new features to reduce scams across its services, including link warnings and navigation blocking in Google Messages when messages are flagged as spam. A Key Verifier QR option helps confirm end-to-end encrypted contacts on Android, while expanded recovery options — including Recovery Contacts and Sign in with Mobile Number — aim to simplify secure account recovery. Google also launched educational tools and partnerships to raise scam awareness.

🛡️The Unit 42 report details a multi-stage phishing campaign that leverages heavily obfuscated JavaScript/VBS and PowerShell to load a C# .NET loader named PhantomVAI, which hides DLL payloads inside image files via steganography. The loader's VAI routine performs virtual-machine detection, establishes persistence (scheduled tasks, wscript, Run keys) and retrieves payloads by process hollowing into legitimate host processes. Observed final payloads include Katz Stealer, AsyncRAT and FormBook. Palo Alto Networks' Advanced WildFire, Cortex XDR and XSIAM have updated protections and indicators of compromise.

🔍 Proofpoint researchers uncovered TA585, a cybercriminal group that operates its own phishing, delivery and malware infrastructure rather than outsourcing. The actor distributes MonsterV2, a subscription-based RAT/stealer/loader that avoids CIS systems and offers modules like HVNC. Early 2025 campaigns used ClickFix social engineering and compromised sites with fake CAPTCHAs to filter victims and deliver payloads, and organisations should train users to spot ClickFix and restrict PowerShell for non-admins.

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

🚨 Spanish authorities have arrested a 25-year-old Brazilian national accused of leading the GXC Team, a Crime-as-a-Service operation that sold phishing kits, Android malware and AI-based tools to cybercriminals. The Guardia Civil detained the suspect known as "GoogleXcoder" after a year-long investigation and six coordinated raids across Spain. Investigators seized devices containing source code, client communications and cryptocurrency records, and identified six suspected accomplices. The probe, supported by Group-IB and Brazil's Federal Police, remains ongoing as authorities disable the group's online infrastructure.

🛡️ Varonis introduces Interceptor, an AI-native email security solution that combines multimodal AI—visual, linguistic, and behavioral models—to detect advanced phishing, BEC, and social engineering. It augments or replaces API-based filters with a phishing sandbox that pre-analyzes newly registered domains and URLs and a lightweight browser extension for multichannel protection. Integrated with the Varonis Data Security Platform, Interceptor aims to reduce false positives, accelerate detection of zero-hour threats, and stop breaches earlier in the attack chain.

🔒 Cybersecurity researchers warn of a recent campaign delivering the Astaroth banking trojan that leverages GitHub repositories to host hidden configurations and regain functionality after C2 takedowns. The attack, concentrated in Brazil and across Latin America, begins with a DocuSign-themed phishing message that drops an LNK file which executes obfuscated JavaScript, retrieves an AutoIt loader and ultimately injects a Delphi-based DLL. Astaroth monitors browser activity for banking and cryptocurrency sites, exfiltrates credentials via Ngrok, and employs steganography, anti-analysis checks, and persistent LNK-based startup execution to maintain stealth and resilience.

🔔 A new smishing campaign impersonates the New York Department of Taxation and Finance, sending texts that urge recipients to submit payment information to process an 'Inflation Refund.' Links lead to a counterfeit site requesting name, address, phone, email and Social Security Number. New Yorkers are reminded the refund is automatic for eligible taxpayers and agencies will not text or call for payment details. Report suspicious messages to the Tax Department or IRS.

🔒 Spanish Guardia Civil have dismantled the GXC Team cybercrime syndicate and arrested its alleged leader, a 25-year-old Brazilian known as GoogleXcoder. The group operated a crime-as-a-service platform on Telegram and a Russian-speaking forum, selling AI-driven phishing kits, Android malware that intercepted SMS/OTPs, and voice-scam tools. Authorities seized devices, source code, communication logs, and recovered stolen cryptocurrency. Nationwide raids on May 20 led to channel takedowns and the identification of additional suspects; the investigation remains ongoing.

⚠️ Researchers have identified 175 malicious packages on the npm registry used as infrastructure for a widespread phishing campaign called Beamglea. The packages, collectively downloaded about 26,000 times, host redirect scripts served via unpkg.com that route victims to credential-harvesting pages. Attackers automated package publication and embedded victim-specific emails into generated HTML, pre-filling login fields to increase the likelihood of successful credential capture.