All news with #proofpoint tag

UNK_SmudgedSerpent Targets Academics and Policy Experts

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.

SmudgedSerpent Targets U.S. Policy Experts Amid Tensions

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.

Phishing and RMM Tools Enable Growing Cargo Thefts

🚚 Proofpoint warns of a spear‑phishing campaign targeting North American freight firms that installs remote monitoring and access tools to enable cargo theft. Actors compromise broker load boards, insert themselves into carrier email threads, or pose as brokers to deliver signed installers that harvest credentials and establish persistent access. The attackers have deployed a range of RMM/RAS solutions (for example ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N‑able, and LogMeIn Resolve) and use them to bid on or reroute high‑value loads; Proofpoint urges blocking unauthorized RMMs, enforcing endpoint/network detection and MFA, disallowing external executables, and expanding phishing awareness training.

Cybercriminals Exploit RMM Tools to Steal Truck Cargo

🚚 Proofpoint warns that cybercriminals are increasingly deploying legitimate remote monitoring and management tools to compromise trucking and logistics firms, enabling cargo theft and financial gain. Working with organized crime, they target asset-based carriers, brokers and integrated providers—especially food and beverage shipments—using compromised emails, fraudulent load-board listings and booby-trapped MSI/EXE installers to deliver ScreenConnect, SimpleHelp and other RMMs. Once inside, attackers conduct reconnaissance, harvest credentials with tools like WebBrowserPassView, delete bookings, block dispatcher alerts and reassign loads to facilitate physical theft, often selling stolen cargo online or overseas.

CASB Buying Guide: Key Capabilities, Vendors, and Questions

🔒 A Cloud Access Security Broker (CASB) sits between enterprise endpoints and cloud services to deliver visibility, enforce access controls and detect threats. This guide summarizes core CASB functions — visibility, control, data protection and compliance — and contrasts deployment modes (API vs proxy). It profiles major vendors such as Netskope, Microsoft Defender for Cloud Apps, Palo Alto Networks and others, and presents 16 practical questions to assess internal readiness and evaluate providers against SSE/SASE roadmaps.

Researchers Expose TA585 Delivering MonsterV2 RAT via Phishing

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

Watering-Hole Campaign Deploys ScanBox Keylogger Nearby

🕵️ A China-linked actor, assessed as APT TA423 (Red Ladon), used targeted phishing and watering-hole pages to serve the ScanBox JavaScript reconnaissance framework to Australian domestic organizations and offshore energy firms between April and mid‑June 2022. The injected script acts as a browser-based keylogger and conducts extensive fingerprinting, enumerating OS, plugins, extensions, WebRTC and Flash. ScanBox further leverages STUN and ICE via WebRTC to establish peer connections and reach hosts behind NAT, enabling covert collection of typed data without writing malware to disk. Proofpoint and PwC researchers link the campaign to TA423 and note its likely intelligence focus on regional maritime and naval activity.

Fake Reservation Links Target Travel and Hospitality Industry

✈️ A longtime threat group tracked as TA558 has resumed phishing campaigns that spoof hotel or reservation notices to lure travelers into downloading malware. Campaigns increasingly deliver ISO and RAR container files via URLs that, when decompressed, execute batch scripts and PowerShell helpers to fetch RATs such as AsyncRAT. TA558 has shifted from macro-laden Office documents to containerized attachments after Microsoft limited macros. Travel organizations and customers should be wary of unexpected reservation emails and avoid opening unknown archives.