All news with #spear phishing tag

🚨 Researchers at CloudSEK have uncovered a mobile espionage campaign, dubbed RedAlert, that distributes a trojanized version of Israel's official Red Alert rocket warning app via SMS phishing and sideloaded fake updates. The malicious build imitates the genuine interface and continues to deliver real alerts while running a covert surveillance payload that requests high-risk permissions such as SMS access, contacts and precise GPS. It uses advanced anti-detection techniques — including spoofing the original signing certificate, falsifying Play Store installation metadata and manipulating Android's package manager via reflection and proxy hooks — to hide secondary payloads and avoid integrity checks. Incident response guidance recommends isolating affected devices, revoking privileges, performing factory resets when necessary, and blocking known domains while restricting sideloading through mobile device management.

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.

🛡️Arctic Wolf reports SloppyLemming operated from January 2025 to January 2026, targeting government and critical infrastructure organizations in Pakistan and Bangladesh. The actor used spear‑phishing PDFs and macro‑enabled Excel files to deliver two distinct toolchains: a DLL side‑loading path that deploys an in‑memory backdoor and a Rust‑based keylogger. The side‑loading route leverages ClickOnce manifests to drop a legitimate .NET binary (NGenTask.exe) and a malicious loader (mscorsvc.dll) that decrypts and runs the implant BurrowShell. The keylogger includes port scanning and network enumeration capabilities and the campaign abused Cloudflare Workers domains and Havoc/Cobalt Strike tradecraft.

⚠️ Researchers report a new phishing campaign in which North Korean hackers pose as company recruiters and lure developer job candidates with seemingly legitimate coding challenges. When victims run the supplied code, it installs malware on their machines, creating a direct avenue for compromise. Reversing Labs analyzed the samples and BleepingComputer provided additional reporting. Candidates and employers should be cautious about running unvetted code and verify recruiter identities.

🔍 This Fortinet analysis dissects a recent multi-stage campaign deploying Agent Tesla, which targets Windows users with credential theft and keylogging. The chain uses spearphishing with RAR attachments containing obfuscated JSE loaders that fetch encrypted PowerShell scripts and reflectively load .NET assemblies in memory. Operators leverage process hollowing, virtualization and sandbox checks, and SMTP-based exfiltration to minimize detection. Fortinet telemetry and cross-product protections are highlighted to help organizations mitigate the threat.

🛡️ Microsoft warns that a coordinated campaign is using job-themed repositories—often posing as Next.js projects or technical assessments—to infect developer systems with multi-stage backdoors. Attackers embed workspace automation, build scripts, or server startup hooks so simply opening or building a project can load remote JavaScript and execute in memory. Microsoft advises containing affected endpoints, tracing process trees, hunting for repeated polling to attacker infrastructure, enforcing VS Code Workspace Trust, applying attack surface reduction, enabling cloud reputation checks, and tightening developer trust boundaries.

📧 A financially motivated threat group dubbed Diesel Vortex has run an extensive phishing campaign since September 2025 targeting freight and logistics operators across the U.S. and Europe, using roughly 52 domains to harvest credentials. Researchers at Have I Been Squatted and partner Ctrl-Alt-Intel discovered exposed repositories and Telegram webhook logs revealing the group's tooling, communications, and an internal mind map describing a call-center style operation. The campaign stole 1,649 unique credential pairs and employed sophisticated evasion — Cyrillic homoglyphs, a nine-stage cloaking chain, voice phishing, Telegram infiltration, and pixel-perfect clones — before coordinated takedowns disrupted the infrastructure.

🔒 A Russia-aligned cybercrime cluster tracked as UAC-0050 (also known as DaVinci Group and labeled Mercenary Akula by BlueVoyant) carried out a spear-phishing operation this month against a European financial institution involved in regional development and reconstruction. The campaign spoofed a Ukrainian judicial domain and lured a senior legal and policy advisor to download an archive hosted on PixelDrain, which unpacked into a password-protected chain culminating in an executable disguised as a PDF. Execution led to installation of an MSI that deployed RMS remote desktop software, providing persistent remote control and file-transfer capabilities, consistent with the group’s prior use of remote-access tools to evade detection and maintain stealthy access.

🔎 S2 Grupo's LAB52 attributes a campaign codenamed Operation MacroMaze to the Russia-linked APT28, active from September 2025 through January 2026. The attackers used spear-phishing documents containing an INCLUDEPICTURE field that points to webhook[.]site URLs to confirm document opens and deploy macros that run VBScript and batch files. Payloads render Base64 HTML in Microsoft Edge, using headless or off-screen browsers to retrieve commands and exfiltrate output to webhook endpoints. LAB52 emphasizes the campaign's operational simplicity and reliance on legitimate services to reduce detection.

⚠️FortiGuard Labs observed targeted phishing campaigns in Taiwan delivering Winos 4.0 (ValleyRat) and modular plugins via weaponized attachments and cloud-hosted links. Lures impersonate tax audits, e-invoice portals, and installer packages to trick recipients. Attackers employ rotating domains, malicious LNK files, DLL sideloading, and BYOVD using the vulnerable driver wsftprm.sys to gain kernel privileges and evade defenses. Fortinet detections include W64/Agent.ATW!tr and multiple email and gateway protections.

🔐 Pakistan-aligned clusters APT36 and SideCopy are targeting Indian defense and government organizations to deploy cross-platform remote access trojans on Windows and Linux. Attack chains use phishing lures that deliver malicious LNK/HTA files, ELF binaries, and PowerPoint Add-In payloads to initiate multi-stage deployments. Observed malware — Geta RAT, Ares RAT, and DeskRAT — enables persistence, reconnaissance, data theft, and remote command execution while leveraging decoys and memory-resident techniques to evade detection.

📱 ZeroDayRAT is a newly documented cross-platform mobile spyware operation targeting Android and iOS, according to iVerify. The toolkit grants persistent access to messages, precise GPS history, notifications, camera, microphone and keystroke capture, and exposes a dedicated web dashboard for rapid device profiling. Infections are commonly initiated via smishing, counterfeit app stores, phishing emails and links shared through messaging apps.

🔒 Several European government bodies reported breaches tied to a coordinated exploitation of Ivanti EPMM zero-day vulnerabilities disclosed on 29 January. Affected organizations include the European Commission, Finnish central agencies and at least two Dutch bodies, with as many as 50,000 Finnish staff details potentially exposed. Compromised data appears limited to names, work emails, phone numbers and device metadata; no device-level data has been confirmed. Authorities contained the incidents quickly, but security teams warn of elevated follow-on risks such as spearphishing, credential misuse and malicious configuration changes, and advise reassessing administrative credentials, keys and certificates.

🔒 Mandiant links a targeted intrusion to UNC1069 that leveraged AI-enabled social engineering to compromise a cryptocurrency executive and deploy multiple macOS malware families. The attacker used a hijacked Telegram account, a spoofed Zoom meeting allegedly featuring a deepfake video, and a ClickFix paste-and-execute ruse to trick the victim into running troubleshooting commands. The operation dropped WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, DEEPBREATH, CHROMEPUSH, and SILENCELIFT to harvest credentials, browser data, and session tokens. GTIG and Mandiant highlight UNC1069's expanding use of GenAI for lures and tooling.

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.

🔎 The Russia-linked threat actor APT28 has been observed exploiting CVE-2026-21509 in targeted Microsoft Office document attacks as part of Operation Neusploit. Zscaler ThreatLabz reported activity beginning on January 29, 2026, using localized lures and server-side geofilters to deliver malicious DLLs only to intended victims in Ukraine, Slovakia, and Romania. The exploit chains employ RTF/Word files that drop two distinct loaders: a C++ email stealer named MiniDoor and a more elaborate PixyNetLoader, which uses steganography and COM hijacking to deploy a Covenant Grunt implant. The campaign demonstrates focused espionage objectives, targeted evasion, and persistent C2 capabilities.

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.

🔍 ESET researchers disclosed a targeted Android espionage campaign (published 28 Jan 2026) that used a fake dating app called GhostChat (detected as Android/Spy.GhostChat.A) to lure victims in Pakistan. The app, never on Google Play and requiring manual install from unknown sources, presents locked female profiles with hardcoded access codes and embedded WhatsApp numbers to drive victims into operator-controlled chats. Once executed it requests broad permissions, immediately exfiltrates device identifiers, contacts and a wide range of files, and continues to upload newly created images and documents on a scheduled basis. ESET linked related Windows activity using the same C2 infrastructure, published IoCs and sample hashes (for example SHA-1 B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A), and shared findings with Google; known variants are blocked by Play Protect on devices with Google Play Services.

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.

🔎 Zscaler ThreatLabz in September 2025 uncovered two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, aimed at Indian government entities. Gopher Strike used phishing PDFs with a fake Adobe update that conditionally delivers an ISO to Indian Windows hosts, deploying a Golang downloader, GOGITTER, which establishes VBScript-based persistence and scheduled-task execution. Sheet Attack abused legitimate services such as Google Sheets, Firebase and email for command-and-control, while a lightweight backdoor, GITSHELLPAD, and a padded loader, GOSHELL, were used to ultimately deliver Cobalt Strike.