All news with #spear phishing tag

🔐 In a connected business environment, the article argues that conventional perimeter controls like firewalls and intrusion-detection systems are no longer sufficient to protect organisations. It highlights how a $280 billion data-broker industry and billions of daily phishing emails create an expansive, often invisible outbound data flow that enables credible CEO fraud and targeted spear-phishing. The author recommends deploying Security & Privacy Boxes, strengthening employee training, self-hosting sensitive services and adopting a Zero Trust approach to reduce leakage and long-term APT dwell time.

⚠️ Konni, a North Korea–linked threat actor, has deployed an AI-assisted PowerShell backdoor against blockchain developers in Japan, Australia, and India. The campaign uses spear-phishing ZIP archives hosted on WordPress and Discord CDN that drop LNK files which launch an AutoIt loader and extract a modular PowerShell implant. Check Point observed AI-style code structure and comments in the backdoor while attackers leverage UAC bypass, Defender exclusions, scheduled tasks, and a C2 encryption gate to maintain stealth and persistence.

🔒 The North Korean-linked Konni group is deploying AI-generated PowerShell malware to specifically target developers and engineers in the blockchain sector. The campaign uses Discord-hosted ZIP lures that contain a PDF, a malicious LNK shortcut, and an embedded DOCX/CAB payload which drops a backdoor, batch files, and a UAC bypass executable. The backdoor is heavily obfuscated, runs an XOR-encrypted script in-memory via an hourly scheduled task masquerading as OneDrive, and bears markers of LLM-assisted development such as structured documentation and placeholder comments like "# <- your permanent project UUID".

🔍 Recorded Future's Insikt Group attributes a widespread North Korean campaign, dubbed PurpleBravo, with targeting of 3,136 individual IP addresses via fraudulent job interviews that prompted candidates to run malicious code. The activity, observed from August 2024 to September 2025, affected 20 organizations across AI, crypto, finance, IT services, marketing, and software development in Europe, South Asia, the Middle East, and Central America. Security firms including Jamf Threat Labs reported abuse of VS Code projects, malicious GitHub repos and fake LinkedIn personas to deliver malware such as BeaverTail and a Go-based backdoor, increasing supply-chain and corporate-device risks.

🔒 A large-scale phishing campaign in Peru has used polished fake loan applications to collect valid card numbers, online banking passwords and 6-digit PINs, according to Group-IB. Active since 2024, the operation leverages targeted social media ads and roughly 370 domains, including 16 impersonating a major Peruvian bank. The flow deliberately breaks facial verification so victims are steered toward card entry, and card numbers are filtered with the Luhn check to ensure usability. Group-IB urges stronger customer education, multi-factor authentication and cross-industry intelligence sharing to counter the threat.

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.

🔒 LinkedIn's vast professional network provides abundant intelligence that threat actors exploit to support spear-phishing, business email compromise and direct recruitment efforts. Profiles and connections help attackers craft highly credible lures, while messages sent within the platform can bypass corporate email controls. To reduce risk, users should limit public detail, enable MFA, maintain patched devices and complete targeted security awareness training focused on fake profiles and malicious DMs.

🔒 Between October and December 2025, Ukraine's Defense Forces were targeted in a charity-themed messaging campaign that delivered the backdoor PluggyApe. Attackers used Signal and WhatsApp to lure recipients to fake charity sites or to send password-protected archives containing executable .docx.pif files created with PyInstaller, and sometimes delivered payloads directly via messaging apps. PluggyApe profiles hosts, sends victim identifiers and system data to operators, achieves persistence through Windows Registry modifications, and fetches base64-encoded C2 addresses from public paste services. CERT-UA assigns medium confidence attribution to the Russian-aligned group known as Laundry Bear (aka Void Blizzard) and warns that mobile devices and compromised local accounts make such lures especially convincing.

🛡️ CloudSEK researchers report that the Iran-linked actor MuddyWater has distributed a new Rust-based remote access tool codenamed RustyWater via spear-phishing emails containing malicious Microsoft Word documents. The lure employs icon spoofing and a VBA macro that drops a Rust implant capable of asynchronous C2, anti-analysis, registry persistence, and modular expansion. Tracked also as Archer RAT or RUSTRIC, the implant contacts a hardcoded C2 (nomercys.it[.]com) to perform file operations and execute commands. Seqrite Labs linked RUSTRIC to recent activity against IT firms, MSPs and software companies in Israel.

🔒The FBI has issued an alert about ongoing North Korean QR code phishing campaigns conducted by the Kimsuky APT, which targeted think tanks, academic institutions and government entities in May–June 2025. Attackers embedded QR codes in spear-phishing emails to redirect victims to mobile-optimized credential-harvesting pages, evading typical email security controls. The FBI recommends heightened user training, deployment of mobile device management, phishing-resistant MFA, and enhanced logging and monitoring to detect and mitigate these quishing attacks.

🚨 The FBI warns that North Korean state-sponsored actors, tracked as Kimsuky, have embedded malicious QR codes in targeted spear-phishing (quishing) campaigns observed in May–June 2025. Attackers spoofed advisors, embassy staff, and think-tank employees to trick recipients into scanning QR codes that redirect mobile devices to attacker-controlled infrastructure or fake login pages. Because scans take victims off enterprise-managed machines to unmanaged phones outside EDR and network inspection, adversaries can harvest session tokens, replay credentials to bypass MFA, establish persistence, and launch secondary spear-phishing from compromised mailboxes.

🔒 The FBI warns that North Korean state-sponsored group Kimsuky is using malicious QR codes in spearphishing campaigns targeting U.S. organizations involved in North Korea policy, research, and analysis. These quishing campaigns route victims to attacker-controlled sites that fingerprint devices and serve fake Microsoft 365, Okta, Google, or VPN login pages to steal credentials and session tokens. Because they require mobile interaction and can originate from compromised inboxes, the attacks can bypass email security and enable MFA-resistant cloud account hijacking; the FBI urges training, QR verification, mobile device management, strong MFA, and immediate reporting.

🛡️ Transparent Tribe (APT36) has launched a spear-phishing campaign delivering a memory‑resident RAT that grants persistent remote control of compromised hosts. The attack chain leverages weaponized .LNK shortcuts that execute obfuscated HTA scripts via mshta.exe, decrypt payloads into memory, and present decoy PDFs to evade detection. The malware adapts persistence to detected antiviruses and drops a DLL, iinneldc.dll, which supports remote command execution, file exfiltration, screenshot capture, clipboard manipulation, and process control.

🔒 Cybersecurity researchers detailed a five-month, targeted spear-phishing campaign that published 27 malicious npm packages across six aliases to repurpose package CDNs as resilient hosting for browser‑run credential‑harvesting lures. The embedded HTML/JavaScript mimicked document‑sharing portals and Microsoft sign‑in, pre-filling victim emails and using bot/sandbox checks, honeypot fields and heavy obfuscation to evade detection. Socket links the domains to Evilginx-style AitM infrastructure and urges phishing‑resistant MFA, strict dependency verification, CDN request logging, and monitoring for suspicious post‑auth activity.

📚 Kaspersky reported a targeted phishing campaign linked to Operation ForumTroll observed in October 2025 that impersonated the Russian eLibrary service. Attackers used a long-aged bogus domain to send personalized emails with one-time links to ZIP archives named for each victim, which contained a .LNK that runs a PowerShell downloader. The chain fetches a staged payload that loads a final DLL, persists via COM hijacking, deploys the Tuoni C2 framework for remote access, and shows a decoy PDF to victims.

📧 Kaspersky researchers have uncovered a targeted campaign by the ForumTroll APT that lures political scientists with personalized plagiarism-check links impersonating the eLibrary service. The downloaded archive contained a malicious .lnk and a .Thumbs directory with images used to evade security; filenames included each victim’s full name. When executed on Windows the .lnk ran a PowerShell chain that installed the commercial red-team framework Tuoni, used COM hijacking for persistence, and displayed a decoy PDF named for the target. Kaspersky reports detections and recommends endpoint and mail-gateway protections to stop similar email-delivered threats.

🔐 Unit 42 details activity by Hamas-affiliated Ashen Lepus using a new modular .NET suite named AshTag, alongside custom loaders and revised C2 techniques to evade detection. The actors targeted Arabic-speaking government and diplomatic entities across the Middle East, delivering malware via RAR archives, DLL sideloading, and payloads hidden in benign HTML. Operators improved encryption and domain masquerading and performed hands-on exfiltration using Rclone. Organizations should monitor the provided IOCs and strengthen EDR and egress controls.

🔒 The Iranian-linked group MuddyWater has been observed deploying a new UDP-based backdoor called UDPGangster, using UDP channels for command-and-control, data exfiltration, and remote command execution. Fortinet FortiGuard Labs says the campaign targeted users in Turkey, Israel, and Azerbaijan via spear-phishing messages that deliver macro-enabled Word documents (e.g., "seminer.doc" inside "seminer.zip") and display a Hebrew-language decoy image. The embedded VBA macro decodes Base64 content into C:\Users\Public\ui.txt and launches it via CreateProcessA; the payload establishes registry persistence and runs multiple anti-analysis checks before communicating over UDP to 157.20.182[.]75:1269 to exfiltrate data, run commands with "cmd.exe", transfer files, and deploy additional payloads.

🔒FortiGuard Labs reports multiple campaigns deploying the UDPGangster UDP-based backdoor, attributed to the MuddyWater espionage group. Attackers used macro-embedded Microsoft Word documents delivered via phishing, impersonating official Turkish emails and targeting users in Turkey, Israel, and Azerbaijan. The malware implements persistence, extensive anti-analysis checks, and UDP C2 communications to exfiltrate data and execute remote commands. Fortinet detections and protections are available to mitigate these threats.

📧 Sekoia.io researchers have identified a fresh wave of spear-phishing linked to the Russia-nexus intrusion set Star Blizzard (aka Calisto/ColdRiver) that targeted NGOs including Reporters Without Borders in May–June 2025. Operators impersonated trusted contacts via ProtonMail, using a custom Adversary-in-the-Middle kit to harvest credentials and relay 2FA prompts through compromised sites and redirectors. Observed tactics included a ZIP disguised as a .pdf, decoy encrypted PDFs instructing victims to open files in ProtonDrive, injected JavaScript to lock password-field focus, and an API-driven workflow for handling CAPTCHA and 2FA challenges, underscoring continued risk to Western organizations supporting Ukraine.