All news with #spear phishing tag

🔒 Threat actor KongTuke has begun using Microsoft Teams to socially engineer employees and quickly gain persistent network access. Attackers impersonate IT staff, trick victims into running a malicious PowerShell command, and deploy ModeloRAT via a Dropbox-hosted ZIP containing a portable WinPython runtime. ReliaQuest observed the campaign active since April 2026, with attackers rotating Microsoft 365 tenants and employing Unicode tricks to appear legitimate. The malware includes resilient C2, multiple access paths, and persistence methods that can survive standard cleanup.

🧊 ESET telemetry details newly observed operations by the FrostyNeighbor actor, targeting governmental, military and key sectors in Ukraine and neighbouring Eastern European countries. The March 2026 campaign begins with spearphishing PDFs that link to RAR archives containing a JavaScript dropper; the script deploys a JavaScript variant of PicassoLoader which fetches and executes a Cobalt Strike beacon. Operators use server-side validation of IP and user agent to restrict final payload delivery and often host infrastructure behind Cloudflare. The group also employs diverse lure formats and exploit chains to evade detection.

🔒 Arctic Wolf attributes a large-scale spear-phishing campaign to BlueNoroff, a subgroup of the Lazarus Group, which targeted more than 100 cryptocurrency and fintech organizations across 20+ countries. The operation used typosquatted Zoom and Microsoft Teams links, manipulated Calendly invites, fake meeting interfaces and ClickFix-style clipboard injection to harvest credentials and wallet data. Researchers observed a self-sustaining deepfake pipeline, PowerShell-based C2, AES-encrypted browser payloads and Telegram-based exfiltration, with some intrusions persisting for 66 days.

❄️UNC6692 uses social engineering and Microsoft Teams to deliver a custom malware suite dubbed Snow. The attackers combine an 'email bombing' tactic with Teams messages posing as IT helpdesk staff to lure victims into installing a fake patch. The link drops AutoHotkey scripts that load SnowBelt, a malicious Chrome extension that operates in a headless Edge session, establishing persistence and relaying commands to a Python backdoor via a WebSocket tunneler.

🔒 Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family — including SNOWBELT, SNOWGLAZE, and SNOWBASIN — enabling credential theft, tunneling, lateral movement, and data exfiltration.

🔒 North Korea–linked APT37 has been observed using Facebook friend requests and Messenger to build trust with targets before moving conversations to Telegram and distributing a ZIP archive containing a trojanized Wondershare PDFelement. The tampered installer executes encrypted shellcode that contacts a compromised legitimate site, japanroom[.]com, to fetch a seemingly benign JPG which stages the RokRAT payload. The malware then leverages Zoho WorkDrive for command-and-control, enabling screenshots, remote command execution via cmd.exe, host reconnaissance, and evasion of security products.

🛡️ Cisco Talos has identified a new Lua-based backdoor called LucidRook used in October 2025 spear-phishing operations targeting NGOs and universities in Taiwan. Attackers delivered payloads via password-protected archives and deployed either an LNK shortcut chain that dropped a loader named LucidPawn or a fake antivirus EXE. LucidPawn sideloads a malicious DLL (DismCore.dll) and embeds a Lua interpreter to fetch obfuscated bytecode, enabling modular updates while reducing forensic visibility. Collected reconnaissance is RSA-encrypted and exfiltrated via FTP; a related tool, LucidKnight, was observed abusing Gmail GMTP for data exfiltration.

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.

🔒 A spear-phishing campaign targeting Middle Eastern civil society and journalists has been linked to the South Asian threat actor Bitter, according to Access Now and mobile-security firm Lookout. Active from 2023 through 2025, the operation used Android spyware tracked as ProSpy and deceptive staging sites to deliver malicious APKs and harvest credentials. Attackers attempted Apple and Google account takeovers and could exfiltrate files, messages, contacts, geolocation and remotely enable microphones and cameras.

🔎 Access Now, Lookout, and SMEX report a coordinated hack-for-hire campaign that targeted journalists, activists, and officials across the MENA region from 2023–2025. The operation used spear-phishing, OAuth consent-based pages, and messaging-platform lures to harvest credentials and two-factor codes. Observed domains impersonated Apple, Signal, Telegram, and Android services, and infrastructure overlaps link activity to a cluster known as Bitter. One Apple account was compromised while other intrusion attempts were blocked.

🔍 Trend Micro links a targeted spear-phishing campaign to APT28 that delivers a previously undocumented malware suite called PRISMEX, active since at least September 2025. The operation blends steganography, COM DLL hijacking, and abuse of legitimate cloud services to retrieve and execute in-memory payloads. Researchers observed rapid weaponization of CVE-2026-21509 and CVE-2026-21513, with overlapping infrastructure such as "wellnesscaremed[.]com". The toolkit includes PrismexSheet, PrismexDrop, PrismexLoader and a COVENANT-based stager that has been associated with both espionage and destructive wiper activity.

🛡️ Cisco Talos disclosed a targeted spear‑phishing campaign delivering LucidRook, a Lua‑based stager that embeds a Lua 5.4 interpreter and Rust‑compiled libraries inside a DLL to fetch and run staged Lua bytecode. The threat actor delivered payloads via password‑protected archives and used decoy documents to distract victims while the dropper executed. Two delivery chains were observed — an LNK dropper LucidPawn and a .NET EXE masquerading as antivirus — both abusing public FTP services and OAST domains. Execution is gated to Traditional Chinese locales linked to Taiwan.

🔔 The UK's National Cyber Security Centre (NCSC) has warned of an increase in targeted attacks against users of messaging apps including WhatsApp, Facebook Messenger and Signal, attributing activity to Russia-based actors and noting similar prior activity by APT31 and IRGC-linked hackers. Attackers use malicious links, QR codes, account takeovers, group infiltration and impersonation to steal credentials or deliver malware. The NCSC advises high-risk users to enable multi-factor authentication, avoid sharing verification codes, regularly review linked devices and use corporately managed messaging services for work.

🔒 Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that leverages the leaked DarkSword iOS exploit kit to target iPhones. The group used spoofed "discussion invitation" messages impersonating the Atlantic Council to deliver the GHOSTBLADE dataminer and, in some instances, the MAYBEROBOT backdoor via password-protected ZIPs. Proofpoint noted sharply increased message volume and server-side filtering that routes only iPhone browsers to the exploit chain. Apple has issued lock-screen warnings urging immediate updates to block the threat.

🦊 Silver Fox has resumed targeted spearphishing against Japanese companies during the annual tax and personnel change season. Attackers send tailored, believable HR and tax-themed emails and spoof trusted employees to deliver malicious attachments or links that drop ValleyRAT. Because recipients expect such communications, these lures increase the risk of compromise. Verify suspicious requests through alternate channels and report them to security teams immediately.

🔔 Unit 42 reports a targeted phishing campaign where attackers impersonate Palo Alto Networks talent acquisition staff to lure senior professionals. Adversaries use scraped LinkedIn data, company logos, and look-alike email domains to claim candidates’ resumes fail applicant tracking systems and pressure them into paid 'ATS alignment' services. Recipients are advised to verify sender domains, refuse payment requests, avoid suspicious attachments, and report incidents to corporate security and Unit 42 for assistance.

🦊 Sekoia has identified a series of Silver Fox campaigns from 2025–2026 that blend espionage and financially motivated cybercrime. Attackers used tax- and payroll-themed phishing lures, SEO poisoning and malicious ads to deliver tools such as ValleyRAT, HoldingHands and a custom Python credential stealer disguised as a WhatsApp app. Targets included organizations across Taiwan, Japan and multiple Southeast Asian countries. Researchers say the group’s modular approach enables rapid tool changes while preserving persistence in compromised networks.

⚠️ South Korean firm Genians links a multi-stage intrusion to the North Korean-affiliated Konni group, which used spear-phishing ZIP attachments containing malicious .LNK shortcuts to deploy an AutoIt remote-access trojan, EndRAT. The shortcut fetches a next-stage payload, establishes persistence via scheduled tasks, and displays a PDF decoy while the malware stealthily exfiltrates documents. Investigators found additional AutoIt artifacts for RftRAT and RemcosRAT, and the attacker abused the victim's KakaoTalk desktop to send infected ZIP files to selected contacts, turning compromised systems into propagation hubs.

🛡️ Researchers at Aryaka uncovered a Russian-speaking threat actor using targeted spear-phishing emails that delivered ISO attachments masquerading as resumes to deploy a new EDR-killing module named BlackSanta. The multi-stage infection leverages a malicious .LNK to launch a PowerShell script that extracts hidden code via steganography and runs payloads in memory. The chain also uses DLL sideloading with a legitimate SumatraPDF executable and a malicious DWrite.dll, and performs extensive fingerprinting and environment checks to evade sandboxes. BlackSanta disables and terminates security tooling, adjusts Microsoft Defender settings and suppresses notifications to minimize user alerts.

🐾 ClearSky researchers uncovered a multi-stage malware campaign named BadPaw that leverages emails from the Ukrainian provider ukr.net to lure recipients to a ZIP download. The archive contains an HTA disguised as HTML that displays a decoy document while launching hidden components. BadPaw checks system age to evade sandboxes, extracts payloads, and uses a scheduled task plus steganography to persist. A staged C2 flow ultimately deploys a multi-layered backdoor, MeowMeowProgram.exe, with low AV detection.