All news with #phishing tag

115,000 Phishing Emails Leveraged Google Classroom

⚠ Check Point uncovered a global phishing campaign that delivered 115,000 fake invitations via Google Classroom to about 13,500 organizations worldwide within a single week. Attackers used seemingly legitimate classroom invites to present unrelated commercial offers and instructed recipients to continue contact via WhatsApp, shifting conversations off monitored email channels. Because many filters treat messages from Google services as trustworthy, these messages often bypass conventional protections. Experts advise staff training, adoption of AI-driven detection that evaluates context and intent, and extending phishing defenses beyond email to collaboration and messaging platforms.

Blind Eagle: Five Clusters Target Colombian Government

⚠️ Recorded Future's Insikt Group attributes five distinct activity clusters to the actor Blind Eagle (tracked as TAG-144) active between May 2024 and July 2025. The campaigns largely targeted Colombian government agencies across local, municipal, and federal levels using spear-phishing, cracked and open-source RATs (including AsyncRAT, Remcos, DCRat, and Lime RAT) and legitimate internet services for staging. Operators abused dynamic DNS, VPS and VPN services and leveraged geofencing and compromised accounts to redirect or evade detection.

Phishing Campaign Uses UpCrypter to Deploy Multiple RATs

🔒 FortiGuard Labs has detailed a global phishing campaign that uses personalized HTML attachments and spoofed websites to deliver a custom loader, UpCrypter, which installs multiple remote access tools. The operation uses tailored lures—voicemail notices and purchase orders—embedding recipient emails and company logos to appear legitimate. The delivered ZIPs contain obfuscated JavaScript that runs PowerShell, fetches further payloads (sometimes hidden via steganography) and ultimately loads RATs such as PureHVNC, DCRat and Babylon, while UpCrypter checks for sandboxes, enforces persistence and can force reboots to hinder analysis.

ZipLine: Advanced Social Engineering Against U.S. Industry

🔒 ZipLine is a highly sophisticated social-engineering phishing campaign identified by Check Point Research that reverses the typical attack flow by initiating contact through corporate “Contact Us” forms. Attackers cultivate multi-week, professional email exchanges and often request NDAs before delivering a malicious ZIP containing the in-memory backdoor MixShell. MixShell maintains covert command-and-control via DNS tunneling with HTTP fallback and executes in memory to reduce forensic traces. The campaign primarily targets U.S. manufacturing and supply-chain–critical organizations and has evolved a second wave that uses an AI transformation pretext to increase legitimacy.

Phishing Campaign Uses UpCrypter to Deploy RATs Globally

📧 Fortinet FortiGuard Labs has observed a phishing campaign using fake voicemail and purchase-order lures to direct victims to convincing landing pages that prompt downloads of JavaScript droppers. The droppers retrieve the UpCrypter loader, which conducts anti-analysis and sandbox checks before fetching final payloads, including various RATs such as PureHVNC, DCRat and Babylon. Attacks since August 2025 have targeted manufacturing, technology, healthcare, construction and retail/hospitality across multiple countries; defenders are urged to block malicious URLs, strengthen email authentication, and monitor anomalous M365 activity.

Global Phishing Campaign Distributes UpCrypter Loader

📧 FortiGuard Labs identified a global phishing campaign that uses crafted HTML email attachments and personalized phishing pages to deliver obfuscated JavaScript droppers which stage the UpCrypter loader on Microsoft Windows systems. The attack uses target-specific URL reconstruction, convincing domain and logo spoofing, and prompts victims to run a bundled JavaScript dropper. The dropper decodes and executes a Base64 PowerShell payload that performs anti-analysis checks, loads an MSIL loader directly into memory, and ultimately deploys multiple RATs (PureHVNC, DCRat, Babylon RAT). Organizations should apply layered email filtering, endpoint least-privilege, and script/memory-aware detection to block these artifacts.

Phishing Campaign Exploits Google Classroom: 115K Emails

📚 Check Point researchers uncovered a large-scale phishing campaign that abused Google Classroom to deliver more than 115,000 malicious emails in five coordinated waves over a single week. Attackers used fake classroom invitations carrying unrelated commercial offers to trick recipients across Europe, North America, the Middle East and Asia. The campaign targeted roughly 13,500 organizations and highlights risks when trusted collaboration tools are weaponized.

Linux Backdoor Delivered via Malicious RAR Filenames

🛡️ Trellix researchers describe a Linux-focused infection chain that uses a malicious RAR filename to trigger command execution. The filename embeds a Base64-encoded Bash payload that leverages shell command injection when untrusted filenames are parsed, allowing an ELF downloader to fetch and run an architecture-specific binary. The chain ultimately delivers the VShell backdoor, which runs in memory to evade disk-based detection.

Phishing Campaign Targets Ledger Users with Fake Update

🔒 A sophisticated phishing campaign impersonating Ledger targets Nano X and Nano S Plus users with an urgent fake firmware update notice. The email claims fragments of private keys were leaked and urges immediate action, but the sender and update domains are not affiliated with Ledger. A professionally designed scam site hosted on an unrelated domain uses a support chat to coax victims into entering their seed phrase, which grants full wallet access. Organizations and individuals should treat unsolicited firmware alerts cautiously and use trained security controls and awareness to avoid compromise.

Microsoft announces Phishing Triage Agent public preview

🛡️The Phishing Triage Agent is now in Public Preview and automates triage of user-reported suspicious emails within Microsoft Defender. Using large language models, it evaluates message semantics, inspects URLs and attachments, and detects intent to classify submissions—typically within 15 minutes—automatically resolving the bulk of false positives. Analysts receive natural‑language explanations and a visual decision map for each verdict, can provide plain‑language feedback to refine behavior, and retain control via role‑based access and least‑privilege configuration.

New DarkCloud Stealer Infection Chain Uses ConfuserEx

🔒 Unit 42 observed a new DarkCloud Stealer infection chain in early April 2025 that employs ConfuserEx-based obfuscation and a final Visual Basic 6 payload. Phishing TAR/RAR/7Z archives deliver obfuscated JavaScript or WSF downloaders which retrieve a PowerShell stage from open directories and drop a ConfuserEx-protected executable. The loaders are heavily protected with javascript-obfuscator and the variant follows prior AutoIt-based deliveries. Palo Alto Networks notes that Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Cortex XDR and XSIAM can help detect and mitigate these stages and recommends contacting Unit 42 for incident response.