< ciso
brief />
Tag Banner

All news with #spear phishing tag

118 articles · page 3 of 6

APT28 Campaign Uses Webhook-Based Docs to Target Europe

🔎 S2 Grupo's LAB52 attributes a campaign codenamed Operation MacroMaze to the Russia-linked APT28, active from September 2025 through January 2026. The attackers used spear-phishing documents containing an INCLUDEPICTURE field that points to webhook[.]site URLs to confirm document opens and deploy macros that run VBScript and batch files. Payloads render Base64 HTML in Microsoft Edge, using headless or off-screen browsers to retrieve commands and exfiltrate output to webhook endpoints. LAB52 emphasizes the campaign's operational simplicity and reliance on legitimate services to reduce detection.
read more →

Massive Winos (ValleyRat) Phishing Campaigns Target Taiwan

⚠️FortiGuard Labs observed targeted phishing campaigns in Taiwan delivering Winos 4.0 (ValleyRat) and modular plugins via weaponized attachments and cloud-hosted links. Lures impersonate tax audits, e-invoice portals, and installer packages to trick recipients. Attackers employ rotating domains, malicious LNK files, DLL sideloading, and BYOVD using the vulnerable driver wsftprm.sys to gain kernel privileges and evade defenses. Fortinet detections include W64/Agent.ATW!tr and multiple email and gateway protections.
read more →

APTs APT36 and SideCopy Launch Cross-Platform RATs

🔐 Pakistan-aligned clusters APT36 and SideCopy are targeting Indian defense and government organizations to deploy cross-platform remote access trojans on Windows and Linux. Attack chains use phishing lures that deliver malicious LNK/HTA files, ELF binaries, and PowerPoint Add-In payloads to initiate multi-stage deployments. Observed malware — Geta RAT, Ares RAT, and DeskRAT — enables persistence, reconnaissance, data theft, and remote command execution while leveraging decoys and memory-resident techniques to evade detection.
read more →

ZeroDayRAT Mobile Spyware Targets Android and iOS Users

📱 ZeroDayRAT is a newly documented cross-platform mobile spyware operation targeting Android and iOS, according to iVerify. The toolkit grants persistent access to messages, precise GPS history, notifications, camera, microphone and keystroke capture, and exposes a dedicated web dashboard for rapid device profiling. Infections are commonly initiated via smishing, counterfeit app stores, phishing emails and links shared through messaging apps.
read more →

European Governments Hit by Ivanti EPMM Zero-Day Breach

🔒 Several European government bodies reported breaches tied to a coordinated exploitation of Ivanti EPMM zero-day vulnerabilities disclosed on 29 January. Affected organizations include the European Commission, Finnish central agencies and at least two Dutch bodies, with as many as 50,000 Finnish staff details potentially exposed. Compromised data appears limited to names, work emails, phone numbers and device metadata; no device-level data has been confirmed. Authorities contained the incidents quickly, but security teams warn of elevated follow-on risks such as spearphishing, credential misuse and malicious configuration changes, and advise reassessing administrative credentials, keys and certificates.
read more →

UNC1069 Targets Cryptocurrency with AI-Enabled Lures

🔒 Mandiant links a targeted intrusion to UNC1069 that leveraged AI-enabled social engineering to compromise a cryptocurrency executive and deploy multiple macOS malware families. The attacker used a hijacked Telegram account, a spoofed Zoom meeting allegedly featuring a deepfake video, and a ClickFix paste-and-execute ruse to trick the victim into running troubleshooting commands. The operation dropped WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, DEEPBREATH, CHROMEPUSH, and SILENCELIFT to harvest credentials, browser data, and session tokens. GTIG and Mandiant highlight UNC1069's expanding use of GenAI for lures and tooling.
read more →

Bloody Wolf Uses NetSupport RAT to Target Uzbekistan, Russia

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.
read more →

APT28 Exploits Microsoft Office CVE-2026-21509 in Attacks

🔎 The Russia-linked threat actor APT28 has been observed exploiting CVE-2026-21509 in targeted Microsoft Office document attacks as part of Operation Neusploit. Zscaler ThreatLabz reported activity beginning on January 29, 2026, using localized lures and server-side geofilters to deliver malicious DLLs only to intended victims in Ukraine, Slovakia, and Romania. The exploit chains employ RTF/Word files that drop two distinct loaders: a C++ email stealer named MiniDoor and a more elaborate PixyNetLoader, which uses steganography and COM hijacking to deploy a Covenant Grunt implant. The campaign demonstrates focused espionage objectives, targeted evasion, and persistent C2 capabilities.
read more →

RedKitten: Iran-linked campaign targets activists and NGOs

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.
read more →

GhostChat romance-scam: targeted Android spyware in Pakistan

🔍 ESET researchers disclosed a targeted Android espionage campaign (published 28 Jan 2026) that used a fake dating app called GhostChat (detected as Android/Spy.GhostChat.A) to lure victims in Pakistan. The app, never on Google Play and requiring manual install from unknown sources, presents locked female profiles with hardcoded access codes and embedded WhatsApp numbers to drive victims into operator-controlled chats. Once executed it requests broad permissions, immediately exfiltrates device identifiers, contacts and a wide range of files, and continues to upload newly created images and documents on a scheduled basis. ESET linked related Windows activity using the same C2 infrastructure, published IoCs and sample hashes (for example SHA-1 B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A), and shared findings with Google; known variants are blocked by Play Protect on devices with Google Play Services.
read more →

Pakistan-linked Cyber Campaigns Target Indian Government

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.
read more →

Pakistan-linked campaigns target Indian government assets

🔎 Zscaler ThreatLabz in September 2025 uncovered two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, aimed at Indian government entities. Gopher Strike used phishing PDFs with a fake Adobe update that conditionally delivers an ISO to Indian Windows hosts, deploying a Golang downloader, GOGITTER, which establishes VBScript-based persistence and scheduled-task execution. Sheet Attack abused legitimate services such as Google Sheets, Firebase and email for command-and-control, while a lightweight backdoor, GITSHELLPAD, and a padded loader, GOSHELL, were used to ultimately deliver Cobalt Strike.
read more →

Digital Integrity: Why Firewalls and IDS Fall Short

🔐 In a connected business environment, the article argues that conventional perimeter controls like firewalls and intrusion-detection systems are no longer sufficient to protect organisations. It highlights how a $280 billion data-broker industry and billions of daily phishing emails create an expansive, often invisible outbound data flow that enables credible CEO fraud and targeted spear-phishing. The author recommends deploying Security & Privacy Boxes, strengthening employee training, self-hosting sensitive services and adopting a Zero Trust approach to reduce leakage and long-term APT dwell time.
read more →

Konni Uses AI-Generated PowerShell Backdoor on Devs

⚠️ Konni, a North Korea–linked threat actor, has deployed an AI-assisted PowerShell backdoor against blockchain developers in Japan, Australia, and India. The campaign uses spear-phishing ZIP archives hosted on WordPress and Discord CDN that drop LNK files which launch an AutoIt loader and extract a modular PowerShell implant. Check Point observed AI-style code structure and comments in the backdoor while attackers leverage UAC bypass, Defender exclusions, scheduled tasks, and a C2 encryption gate to maintain stealth and persistence.
read more →

Konni Targets Blockchain Engineers with AI-Powered Malware

🔒 The North Korean-linked Konni group is deploying AI-generated PowerShell malware to specifically target developers and engineers in the blockchain sector. The campaign uses Discord-hosted ZIP lures that contain a PDF, a malicious LNK shortcut, and an embedded DOCX/CAB payload which drops a backdoor, batch files, and a UAC bypass executable. The backdoor is heavily obfuscated, runs an XOR-encrypted script in-memory via an hourly scheduled task masquerading as OneDrive, and bears markers of LLM-assisted development such as structured documentation and placeholder comments like "# <- your permanent project UUID".
read more →

North Korean 'PurpleBravo' Campaign Targets 3,136 IPs Globally

🔍 Recorded Future's Insikt Group attributes a widespread North Korean campaign, dubbed PurpleBravo, with targeting of 3,136 individual IP addresses via fraudulent job interviews that prompted candidates to run malicious code. The activity, observed from August 2024 to September 2025, affected 20 organizations across AI, crypto, finance, IT services, marketing, and software development in Europe, South Asia, the Middle East, and Central America. Security firms including Jamf Threat Labs reported abuse of VS Code projects, malicious GitHub repos and fake LinkedIn personas to deliver malware such as BeaverTail and a Go-based backdoor, increasing supply-chain and corporate-device risks.
read more →

Peruvian Loan Scam Harvests Card Details and PINs at Scale

🔒 A large-scale phishing campaign in Peru has used polished fake loan applications to collect valid card numbers, online banking passwords and 6-digit PINs, according to Group-IB. Active since 2024, the operation leverages targeted social media ads and roughly 370 domains, including 16 impersonating a major Peruvian bank. The flow deliberately breaks facial verification so victims are steered toward card entry, and card numbers are filtered with the Luhn check to ensure usability. Group-IB urges stronger customer education, multi-factor authentication and cross-industry intelligence sharing to counter the threat.
read more →

LOTUSLITE Backdoor Targets U.S. Policy and Diplomacy

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.
read more →

LinkedIn: Why Threat Actors Target Professionals Now

🔒 LinkedIn's vast professional network provides abundant intelligence that threat actors exploit to support spear-phishing, business email compromise and direct recruitment efforts. Profiles and connections help attackers craft highly credible lures, while messages sent within the platform can bypass corporate email controls. To reduce risk, users should limit public detail, enable MFA, maintain patched devices and complete targeted security awareness training focused on fake profiles and malicious DMs.
read more →

Charity-Themed Campaign Delivers PluggyApe to Ukraine

🔒 Between October and December 2025, Ukraine's Defense Forces were targeted in a charity-themed messaging campaign that delivered the backdoor PluggyApe. Attackers used Signal and WhatsApp to lure recipients to fake charity sites or to send password-protected archives containing executable .docx.pif files created with PyInstaller, and sometimes delivered payloads directly via messaging apps. PluggyApe profiles hosts, sends victim identifiers and system data to operators, achieves persistence through Windows Registry modifications, and fetches base64-encoded C2 addresses from public paste services. CERT-UA assigns medium confidence attribution to the Russian-aligned group known as Laundry Bear (aka Void Blizzard) and warns that mobile devices and compromised local accounts make such lures especially convincing.
read more →