< ciso
brief />
Tag Banner

All news with #spear phishing tag

118 articles

Suspected China-Nexus Campaign Targets Indian Taxpayers

🛡️ Seqrite Labs uncovered a targeted multi-stage phishing operation, dubbed Operation DragonReturn, impersonating India's Income Tax Department to deliver a remote access trojan. First observed on May 18, 2026, the campaign uses carefully crafted bilingual lures, malicious PDF attachments, and a ZIP-based DLL side-loading chain to install persistence and exfiltrate sensitive financial and credential data. The activity shows links to China-hosted infrastructure and overlaps with known tax-themed threat groups.
read more →

Armored Likho targets governments and utilities

🛡️ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more →

US offers $10M for info on hackers targeting Signal and WhatsApp

🔔 The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information identifying members of UNC5792 and UNC4221, two groups tied to Russian intelligence and military services. The bounty follows FBI and CISA updates that these groups conducted phishing campaigns targeting Signal and WhatsApp users, including attempts to steal Signal Backup Recovery Keys by impersonating support agents. Targets included U.S. and NATO officials, journalists, NGOs, and researchers.
read more →

Mustang Panda uses cloud service for stealth C2

🛡️ A China-aligned espionage group, Mustang Panda, has run two campaigns targeting Indian government and hydropower-related networks, using new malware and abusing Zoho WorkDrive as a covert command-and-control channel. Acronis Threat Research Unit found active compromises affecting senior administrative systems, worked with CERT-In for remediation, and detailed three tools: SHARDLOADER, MINIRECON, and ZOHOMURK. The intrusions leveraged DLL sideloading via signed binaries and spear-phishing lures themed to hydropower and bilateral memoranda, with beaconing recorded from June 12–22, 2026.
read more →

Gamaredon expands malware and exfiltration tactics

🛡️ ESET observed 35 spear-phishing campaigns by the Russian APT group Gamaredon across 2025, primarily targeting Ukrainian government and military entities. Campaigns used HTML smuggling, archive attachments and a patched WinRAR flaw (CVE-2025-8088) to deploy HTA downloaders that drop payloads like PteroSand. The group enhanced persistence and lateral movement via PteroLNK, PteroPaste and PteroSetup while increasingly abusing tunnel and serverless services to hide infrastructure.
read more →

Windows SprySOCKS variants used in gov’t targeting

🔎 ESET researchers report Windows versions of the SprySOCKS malware, linked to the Chinese threat actor Earth Lusca, were used in 2023–2024 attacks against government organizations in Taiwan, Thailand, Pakistan, and Honduras. The Windows family includes WIN_DRV with kernel drivers for rootkit-like stealth and WIN_PLUS, a lighter backdoor. Both support TCP/UDP/WebSocket communications, SOCKS proxying, extensive C2 commands, file and process management, and data collection such as keystrokes and clipboard contents.
read more →

Microsoft Teams Phishing Risks and Mitigations

🛡️ This Unit 42 report examines how threat actors use Microsoft Teams to impersonate IT staff, leveraging external chat and compromised or typosquatted accounts to phish employees. It outlines real-world incidents, explains how permissive federation and external chat settings widen the attack surface, and emphasizes that identity systems are the ultimate target. The article recommends tighter configuration, identity-centric controls, monitoring, and updated user training.
read more →

WhatsApp disrupts alleged NSO spear‑phishing attacks

🔒 WhatsApp says it detected and disrupted spear‑phishing campaigns it attributes to the NSO Group after investigating user reports of social‑engineering attacks. Meta reports the phishing lures redirected targets to external websites and that test accounts and groups linked to the activity were removed. The company provided three domains as indicators of compromise and urged users to update apps and enable protections such as Advanced Protection on Android and Lockdown Mode on iOS.
read more →

Agencies Warn of LinkedIn Recruitment for Espionage

🛡️ A joint bulletin from the FBI, MI5, ASIO, CSIS and NZSIS warns that Chinese military intelligence is using professional networking sites and job platforms to recruit Western workers into sharing sensitive information. The advisory details fake cover companies, targeted outreach on platforms like LinkedIn, and staged hiring processes that escalate from innocuous reports to requests for privileged material via encrypted messaging. Targets include military personnel, academics, journalists, and think-tank staff, and payments are made through common money-transfer and crypto services. The agencies urge scepticism toward unsolicited, well-targeted approaches and rapid moves to encrypted apps.
read more →

Asin Android spyware targets Arabic-speaking users

🛡️ ESET has identified a new Android spyware family named Asin that targets Arabic-speaking users through multiple campaigns observed since early 2025. The malware was distributed via fake websites impersonating a government news source, a PDF editor, and a live war map, and was promoted on social platforms like Facebook and Telegram. Infections require manual APK installation and permission grants, with samples found on devices in Türkiye and on Xiaomi devices running Android 15. Attribution and precise objectives remain unknown, though journalists and OSINT researchers are likely targets.
read more →

Greyvibe: Russian-linked group using AI in attacks

🛡️ Researchers from WithSecure uncovered a Russian-aligned group dubbed Greyvibe that extensively leverages large language models across its campaigns targeting private, government, and military organizations in Ukraine. The group uses spear phishing, fake websites, malicious archives, and ClickFix-style CAPTCHAs to deliver custom malware such as PhantomRelay, LegionRelay, and Android spyware FallSpy. Observed tooling and infrastructure indicate systematic use of generative AI for lure creation, code development, and backend setup, blurring lines between state-aligned activity and cybercrime ecosystem actors.
read more →

Silent Ransom Group Escalates Law Firm Attacks

🔒 The FBI warns that the Silent Ransom Group (SRG), also known as Luna Moth and UNC3753, has increasingly targeted US law firms since 2023 using advanced social engineering. SRG has shifted from phishing and callback tactics to impersonating IT staff via phone and in-person visits to gain remote or physical access. Once inside, actors use legitimate tools like WinSCP or renamed Rclone to exfiltrate data without encrypting systems. The FBI recommends stronger cyber hygiene, phishing-resistant MFA, visitor verification, and limiting remote access and external drive installation on sensitive endpoints.
read more →

KongTuke Uses Microsoft Teams to Gain Corporate Access

🔒 Threat actor KongTuke has begun using Microsoft Teams to socially engineer employees and quickly gain persistent network access. Attackers impersonate IT staff, trick victims into running a malicious PowerShell command, and deploy ModeloRAT via a Dropbox-hosted ZIP containing a portable WinPython runtime. ReliaQuest observed the campaign active since April 2026, with attackers rotating Microsoft 365 tenants and employing Unicode tricks to appear legitimate. The malware includes resilient C2, multiple access paths, and persistence methods that can survive standard cleanup.
read more →

FrostyNeighbor targets Ukrainian government with new loader

🧊 ESET telemetry details newly observed operations by the FrostyNeighbor actor, targeting governmental, military and key sectors in Ukraine and neighbouring Eastern European countries. The March 2026 campaign begins with spearphishing PDFs that link to RAR archives containing a JavaScript dropper; the script deploys a JavaScript variant of PicassoLoader which fetches and executes a Cobalt Strike beacon. Operators use server-side validation of IP and user agent to restrict final payload delivery and often host infrastructure behind Cloudflare. The group also employs diverse lure formats and exploit chains to evade detection.
read more →

BlueNoroff Targets Crypto Firms with AI-Enhanced Lures

🔒 Arctic Wolf attributes a large-scale spear-phishing campaign to BlueNoroff, a subgroup of the Lazarus Group, which targeted more than 100 cryptocurrency and fintech organizations across 20+ countries. The operation used typosquatted Zoom and Microsoft Teams links, manipulated Calendly invites, fake meeting interfaces and ClickFix-style clipboard injection to harvest credentials and wallet data. Researchers observed a self-sustaining deepfake pipeline, PowerShell-based C2, AES-encrypted browser payloads and Telegram-based exfiltration, with some intrusions persisting for 66 days.
read more →

Threat Actor Uses Microsoft Teams to Deploy 'Snow' Malware

❄️UNC6692 uses social engineering and Microsoft Teams to deliver a custom malware suite dubbed Snow. The attackers combine an 'email bombing' tactic with Teams messages posing as IT helpdesk staff to lure victims into installing a fake patch. The link drops AutoHotkey scripts that load SnowBelt, a malicious Chrome extension that operates in a headless Edge session, establishing persistence and relaying commands to a Python backdoor via a WebSocket tunneler.
read more →

UNC6692 Uses Microsoft Teams to Deploy SNOW Malware

🔒 Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family — including SNOWBELT, SNOWGLAZE, and SNOWBASIN — enabling credential theft, tunneling, lateral movement, and data exfiltration.
read more →

APT37 Uses Facebook Social Engineering to Spread RokRAT

🔒 North Korea–linked APT37 has been observed using Facebook friend requests and Messenger to build trust with targets before moving conversations to Telegram and distributing a ZIP archive containing a trojanized Wondershare PDFelement. The tampered installer executes encrypted shellcode that contacts a compromised legitimate site, japanroom[.]com, to fetch a seemingly benign JPG which stages the RokRAT payload. The malware then leverages Zoho WorkDrive for command-and-control, enabling screenshots, remote command execution via cmd.exe, host reconnaissance, and evasion of security products.
read more →

LucidRook Lua Malware Targets NGOs and Universities

🛡️ Cisco Talos has identified a new Lua-based backdoor called LucidRook used in October 2025 spear-phishing operations targeting NGOs and universities in Taiwan. Attackers delivered payloads via password-protected archives and deployed either an LNK shortcut chain that dropped a loader named LucidPawn or a fake antivirus EXE. LucidPawn sideloads a malicious DLL (DismCore.dll) and embeds a Lua interpreter to fetch obfuscated bytecode, enabling modular updates while reducing forensic visibility. Collected reconnaissance is RSA-encrypted and exfiltrated via FTP; a related tool, LucidKnight, was observed abusing Gmail GMTP for data exfiltration.
read more →

UAT-10362 Deploys Lua-Based LucidRook Against Taiwan NGOs

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.
read more →