< ciso
brief />
Tag Banner

All news with #spear phishing tag

118 articles · page 2 of 6

Middle East Hack-for-Hire Campaign Linked to Bitter APT

🔒 A spear-phishing campaign targeting Middle Eastern civil society and journalists has been linked to the South Asian threat actor Bitter, according to Access Now and mobile-security firm Lookout. Active from 2023 through 2025, the operation used Android spyware tracked as ProSpy and deceptive staging sites to deliver malicious APKs and harvest credentials. Attackers attempted Apple and Google account takeovers and could exfiltrate files, messages, contacts, geolocation and remotely enable microphones and cameras.
read more →

Bitter-Linked Hack-for-Hire Targets MENA Journalists

🔎 Access Now, Lookout, and SMEX report a coordinated hack-for-hire campaign that targeted journalists, activists, and officials across the MENA region from 2023–2025. The operation used spear-phishing, OAuth consent-based pages, and messaging-platform lures to harvest credentials and two-factor codes. Observed domains impersonated Apple, Signal, Telegram, and Android services, and infrastructure overlaps link activity to a cluster known as Bitter. One Apple account was compromised while other intrusion attempts were blocked.
read more →

APT28 Deploys PRISMEX Malware Against Ukraine Allies

🔍 Trend Micro links a targeted spear-phishing campaign to APT28 that delivers a previously undocumented malware suite called PRISMEX, active since at least September 2025. The operation blends steganography, COM DLL hijacking, and abuse of legitimate cloud services to retrieve and execute in-memory payloads. Researchers observed rapid weaponization of CVE-2026-21509 and CVE-2026-21513, with overlapping infrastructure such as "wellnesscaremed[.]com". The toolkit includes PrismexSheet, PrismexDrop, PrismexLoader and a COVENANT-based stager that has been associated with both espionage and destructive wiper activity.
read more →

LucidRook: Lua-Based Stager Targeting Taiwanese NGOs

🛡️ Cisco Talos disclosed a targeted spear‑phishing campaign delivering LucidRook, a Lua‑based stager that embeds a Lua 5.4 interpreter and Rust‑compiled libraries inside a DLL to fetch and run staged Lua bytecode. The threat actor delivered payloads via password‑protected archives and used decoy documents to distract victims while the dropper executed. Two delivery chains were observed — an LNK dropper LucidPawn and a .NET EXE masquerading as antivirus — both abusing public FTP services and OAST domains. Execution is gated to Traditional Chinese locales linked to Taiwan.
read more →

NCSC Warns of Targeted Attacks on WhatsApp, Signal Users

🔔 The UK's National Cyber Security Centre (NCSC) has warned of an increase in targeted attacks against users of messaging apps including WhatsApp, Facebook Messenger and Signal, attributing activity to Russia-based actors and noting similar prior activity by APT31 and IRGC-linked hackers. Attackers use malicious links, QR codes, account takeovers, group infiltration and impersonation to steal credentials or deliver malware. The NCSC advises high-risk users to enable multi-factor authentication, avoid sharing verification codes, regularly review linked devices and use corporately managed messaging services for work.
read more →

TA446 Uses Leaked DarkSword iOS Exploit in Email Campaign

🔒 Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that leverages the leaked DarkSword iOS exploit kit to target iPhones. The group used spoofed "discussion invitation" messages impersonating the Atlantic Council to deliver the GHOSTBLADE dataminer and, in some instances, the MAYBEROBOT backdoor via password-protected ZIPs. Proofpoint noted sharply increased message volume and server-side filtering that routes only iPhone browsers to the exploit chain. Apple has issued lock-screen warnings urging immediate updates to block the threat.
read more →

Silver Fox Phishing Targets Japanese Firms During Tax Season

🦊 Silver Fox has resumed targeted spearphishing against Japanese companies during the annual tax and personnel change season. Attackers send tailored, believable HR and tax-themed emails and spoof trusted employees to deliver malicious attachments or links that drop ValleyRAT. Because recipients expect such communications, these lures increase the risk of compromise. Verify suspicious requests through alternate channels and report them to security teams immediately.
read more →

Phishing Impersonating Palo Alto Networks Recruiters

🔔 Unit 42 reports a targeted phishing campaign where attackers impersonate Palo Alto Networks talent acquisition staff to lure senior professionals. Adversaries use scraped LinkedIn data, company logos, and look-alike email domains to claim candidates’ resumes fail applicant tracking systems and pressure them into paid 'ATS alignment' services. Recipients are advised to verify sender domains, refuse payment requests, avoid suspicious attachments, and report incidents to corporate security and Unit 42 for assistance.
read more →

Silver Fox Campaigns Shift Toward Dual Espionage and Crime

🦊 Sekoia has identified a series of Silver Fox campaigns from 2025–2026 that blend espionage and financially motivated cybercrime. Attackers used tax- and payroll-themed phishing lures, SEO poisoning and malicious ads to deliver tools such as ValleyRAT, HoldingHands and a custom Python credential stealer disguised as a WhatsApp app. Targets included organizations across Taiwan, Japan and multiple Southeast Asian countries. Researchers say the group’s modular approach enables rapid tool changes while preserving persistence in compromised networks.
read more →

Konni Deploys EndRAT via KakaoTalk-Spear Phishing Campaign

⚠️ South Korean firm Genians links a multi-stage intrusion to the North Korean-affiliated Konni group, which used spear-phishing ZIP attachments containing malicious .LNK shortcuts to deploy an AutoIt remote-access trojan, EndRAT. The shortcut fetches a next-stage payload, establishes persistence via scheduled tasks, and displays a PDF decoy while the malware stealthily exfiltrates documents. Investigators found additional AutoIt artifacts for RftRAT and RemcosRAT, and the attacker abused the victim's KakaoTalk desktop to send infected ZIP files to selected contacts, turning compromised systems into propagation hubs.
read more →

BlackSanta EDR Killer Targets HR Departments Globally

🛡️ Researchers at Aryaka uncovered a Russian-speaking threat actor using targeted spear-phishing emails that delivered ISO attachments masquerading as resumes to deploy a new EDR-killing module named BlackSanta. The multi-stage infection leverages a malicious .LNK to launch a PowerShell script that extracts hidden code via steganography and runs payloads in memory. The chain also uses DLL sideloading with a legitimate SumatraPDF executable and a malicious DWrite.dll, and performs extensive fingerprinting and environment checks to evade sandboxes. BlackSanta disables and terminates security tooling, adjusts Microsoft Defender settings and suppresses notifications to minimize user alerts.
read more →

Multi-Stage BadPaw Malware Campaign Targets Ukraine

🐾 ClearSky researchers uncovered a multi-stage malware campaign named BadPaw that leverages emails from the Ukrainian provider ukr.net to lure recipients to a ZIP download. The archive contains an HTA disguised as HTML that displays a decoy document while launching hidden components. BadPaw checks system age to evade sandboxes, extracts payloads, and uses a scheduled task plus steganography to persist. A staged C2 flow ultimately deploys a multi-layered backdoor, MeowMeowProgram.exe, with low AV detection.
read more →

Spyware Campaign Mimics Israel's Red Alert App via SMS

🚨 Researchers at CloudSEK have uncovered a mobile espionage campaign, dubbed RedAlert, that distributes a trojanized version of Israel's official Red Alert rocket warning app via SMS phishing and sideloaded fake updates. The malicious build imitates the genuine interface and continues to deliver real alerts while running a covert surveillance payload that requests high-risk permissions such as SMS access, contacts and precise GPS. It uses advanced anti-detection techniques — including spoofing the original signing certificate, falsifying Play Store installation metadata and manipulating Android's package manager via reflection and proxy hooks — to hide secondary payloads and avoid integrity checks. Incident response guidance recommends isolating affected devices, revoking privileges, performing factory resets when necessary, and blocking known domains while restricting sideloading through mobile device management.
read more →

Iran-linked Actor Targets Iraqi Government Officials

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.
read more →

SloppyLemming Hits Pakistan and Bangladesh With Dual Malware

🛡️Arctic Wolf reports SloppyLemming operated from January 2025 to January 2026, targeting government and critical infrastructure organizations in Pakistan and Bangladesh. The actor used spear‑phishing PDFs and macro‑enabled Excel files to deliver two distinct toolchains: a DLL side‑loading path that deploys an in‑memory backdoor and a Rust‑based keylogger. The side‑loading route leverages ClickOnce manifests to drop a legitimate .NET binary (NGenTask.exe) and a malicious loader (mscorsvc.dll) that decrypts and runs the implant BurrowShell. The keylogger includes port scanning and network enumeration capabilities and the campaign abused Cloudflare Workers domains and Havoc/Cobalt Strike tradecraft.
read more →

North Korean Phishing Targets Programming Job Seekers

⚠️ Researchers report a new phishing campaign in which North Korean hackers pose as company recruiters and lure developer job candidates with seemingly legitimate coding challenges. When victims run the supplied code, it installs malware on their machines, creating a direct avenue for compromise. Reversing Labs analyzed the samples and BleepingComputer provided additional reporting. Candidates and employers should be cautious about running unvetted code and verify recruiter identities.
read more →

Unmasking Agent Tesla: Multi-Stage Campaign Analysis

🔍 This Fortinet analysis dissects a recent multi-stage campaign deploying Agent Tesla, which targets Windows users with credential theft and keylogging. The chain uses spearphishing with RAR attachments containing obfuscated JSE loaders that fetch encrypted PowerShell scripts and reflectively load .NET assemblies in memory. Operators leverage process hollowing, virtualization and sandbox checks, and SMTP-based exfiltration to minimize detection. Fortinet telemetry and cross-product protections are highlighted to help organizations mitigate the threat.
read more →

Job-themed repo lures target developers with backdoors

🛡️ Microsoft warns that a coordinated campaign is using job-themed repositories—often posing as Next.js projects or technical assessments—to infect developer systems with multi-stage backdoors. Attackers embed workspace automation, build scripts, or server startup hooks so simply opening or building a project can load remote JavaScript and execute in memory. Microsoft advises containing affected endpoints, tracing process trees, hunting for repeated polling to attacker infrastructure, enforcing VS Code Workspace Trust, applying attack surface reduction, enabling cloud reputation checks, and tightening developer trust boundaries.
read more →

Phishing Campaign Steals Credentials from Freight Firms

📧 A financially motivated threat group dubbed Diesel Vortex has run an extensive phishing campaign since September 2025 targeting freight and logistics operators across the U.S. and Europe, using roughly 52 domains to harvest credentials. Researchers at Have I Been Squatted and partner Ctrl-Alt-Intel discovered exposed repositories and Telegram webhook logs revealing the group's tooling, communications, and an internal mind map describing a call-center style operation. The campaign stole 1,649 unique credential pairs and employed sophisticated evasion — Cyrillic homoglyphs, a nine-stage cloaking chain, voice phishing, Telegram infiltration, and pixel-perfect clones — before coordinated takedowns disrupted the infrastructure.
read more →

UAC-0050 Targets European Financial Institution with RMS

🔒 A Russia-aligned cybercrime cluster tracked as UAC-0050 (also known as DaVinci Group and labeled Mercenary Akula by BlueVoyant) carried out a spear-phishing operation this month against a European financial institution involved in regional development and reconstruction. The campaign spoofed a Ukrainian judicial domain and lured a senior legal and policy advisor to download an archive hosted on PixelDrain, which unpacked into a password-protected chain culminating in an executable disguised as a PDF. Execution led to installation of an MSI that deployed RMS remote desktop software, providing persistent remote control and file-transfer capabilities, consistent with the group’s prior use of remote-access tools to evade detection and maintain stealthy access.
read more →