< ciso
brief />
Tag Banner

All news with #spear phishing tag

118 articles · page 4 of 6

MuddyWater Deploys RustyWater RAT in Spear‑Phishing Campaign

🛡️ CloudSEK researchers report that the Iran-linked actor MuddyWater has distributed a new Rust-based remote access tool codenamed RustyWater via spear-phishing emails containing malicious Microsoft Word documents. The lure employs icon spoofing and a VBA macro that drops a Rust implant capable of asynchronous C2, anti-analysis, registry persistence, and modular expansion. Tracked also as Archer RAT or RUSTRIC, the implant contacts a hardcoded C2 (nomercys.it[.]com) to perform file operations and execute commands. Seqrite Labs linked RUSTRIC to recent activity against IT firms, MSPs and software companies in Israel.
read more →

FBI Warns of North Korean QR Code Phishing (Quishing)

🔒The FBI has issued an alert about ongoing North Korean QR code phishing campaigns conducted by the Kimsuky APT, which targeted think tanks, academic institutions and government entities in May–June 2025. Attackers embedded QR codes in spear-phishing emails to redirect victims to mobile-optimized credential-harvesting pages, evading typical email security controls. The FBI recommends heightened user training, deployment of mobile device management, phishing-resistant MFA, and enhanced logging and monitoring to detect and mitigate these quishing attacks.
read more →

FBI: North Korean Hackers Employ Malicious QR Codes

🚨 The FBI warns that North Korean state-sponsored actors, tracked as Kimsuky, have embedded malicious QR codes in targeted spear-phishing (quishing) campaigns observed in May–June 2025. Attackers spoofed advisors, embassy staff, and think-tank employees to trick recipients into scanning QR codes that redirect mobile devices to attacker-controlled infrastructure or fake login pages. Because scans take victims off enterprise-managed machines to unmanaged phones outside EDR and network inspection, adversaries can harvest session tokens, replay credentials to bypass MFA, establish persistence, and launch secondary spear-phishing from compromised mailboxes.
read more →

FBI Warns: Kimsuky Uses QR Codes to Phish U.S. Organizations

🔒 The FBI warns that North Korean state-sponsored group Kimsuky is using malicious QR codes in spearphishing campaigns targeting U.S. organizations involved in North Korea policy, research, and analysis. These quishing campaigns route victims to attacker-controlled sites that fingerprint devices and serve fake Microsoft 365, Okta, Google, or VPN login pages to steal credentials and session tokens. Because they require mobile interaction and can originate from compromised inboxes, the attacks can bypass email security and enable MFA-resistant cloud account hijacking; the FBI urges training, QR verification, mobile device management, strong MFA, and immediate reporting.
read more →

Transparent Tribe Deploys New RAT Targeting Indian Sectors

🛡️ Transparent Tribe (APT36) has launched a spear-phishing campaign delivering a memory‑resident RAT that grants persistent remote control of compromised hosts. The attack chain leverages weaponized .LNK shortcuts that execute obfuscated HTA scripts via mshta.exe, decrypt payloads into memory, and present decoy PDFs to evade detection. The malware adapts persistence to detected antiviruses and drops a DLL, iinneldc.dll, which supports remote command execution, file exfiltration, screenshot capture, clipboard manipulation, and process control.
read more →

Targeted npm Packages Used to Host Credential Lures

🔒 Cybersecurity researchers detailed a five-month, targeted spear-phishing campaign that published 27 malicious npm packages across six aliases to repurpose package CDNs as resilient hosting for browser‑run credential‑harvesting lures. The embedded HTML/JavaScript mimicked document‑sharing portals and Microsoft sign‑in, pre-filling victim emails and using bot/sandbox checks, honeypot fields and heavy obfuscation to evade detection. Socket links the domains to Evilginx-style AitM infrastructure and urges phishing‑resistant MFA, strict dependency verification, CDN request logging, and monitoring for suspicious post‑auth activity.
read more →

ForumTroll Phishing Targets Russian Scholars via eLibrary

📚 Kaspersky reported a targeted phishing campaign linked to Operation ForumTroll observed in October 2025 that impersonated the Russian eLibrary service. Attackers used a long-aged bogus domain to send personalized emails with one-time links to ZIP archives named for each victim, which contained a .LNK that runs a PowerShell downloader. The chain fetches a staged payload that loads a final DLL, persists via COM hijacking, deploys the Tuoni C2 framework for remote access, and shows a decoy PDF to victims.
read more →

ForumTroll Targets Political Scientists with Tuoni

📧 Kaspersky researchers have uncovered a targeted campaign by the ForumTroll APT that lures political scientists with personalized plagiarism-check links impersonating the eLibrary service. The downloaded archive contained a malicious .lnk and a .Thumbs directory with images used to evade security; filenames included each victim’s full name. When executed on Windows the .lnk ran a PowerShell chain that installed the commercial red-team framework Tuoni, used COM hijacking for persistence, and displayed a decoy PDF named for the target. Kaspersky reports detections and recommends endpoint and mail-gateway protections to stop similar email-delivered threats.
read more →

Ashen Lepus Deploys AshTag Malware Against Diplomats

🔐 Unit 42 details activity by Hamas-affiliated Ashen Lepus using a new modular .NET suite named AshTag, alongside custom loaders and revised C2 techniques to evade detection. The actors targeted Arabic-speaking government and diplomatic entities across the Middle East, delivering malware via RAR archives, DLL sideloading, and payloads hidden in benign HTML. Operators improved encryption and domain masquerading and performed hands-on exfiltration using Rclone. Organizations should monitor the provided IOCs and strengthen EDR and egress controls.
read more →

MuddyWater Deploys UDPGangster Backdoor in Attacks

🔒 The Iranian-linked group MuddyWater has been observed deploying a new UDP-based backdoor called UDPGangster, using UDP channels for command-and-control, data exfiltration, and remote command execution. Fortinet FortiGuard Labs says the campaign targeted users in Turkey, Israel, and Azerbaijan via spear-phishing messages that deliver macro-enabled Word documents (e.g., "seminer.doc" inside "seminer.zip") and display a Hebrew-language decoy image. The embedded VBA macro decodes Base64 content into C:\Users\Public\ui.txt and launches it via CreateProcessA; the payload establishes registry persistence and runs multiple anti-analysis checks before communicating over UDP to 157.20.182[.]75:1269 to exfiltrate data, run commands with "cmd.exe", transfer files, and deploy additional payloads.
read more →

UDPGangster Backdoor Campaigns Target Turkey, Israel

🔒FortiGuard Labs reports multiple campaigns deploying the UDPGangster UDP-based backdoor, attributed to the MuddyWater espionage group. Attackers used macro-embedded Microsoft Word documents delivered via phishing, impersonating official Turkish emails and targeting users in Turkey, Israel, and Azerbaijan. The malware implements persistence, extensive anti-analysis checks, and UDP C2 communications to exfiltrate data and execute remote commands. Fortinet detections and protections are available to mitigate these threats.
read more →

Star Blizzard Targets Reporters Without Borders in Phishing

📧 Sekoia.io researchers have identified a fresh wave of spear-phishing linked to the Russia-nexus intrusion set Star Blizzard (aka Calisto/ColdRiver) that targeted NGOs including Reporters Without Borders in May–June 2025. Operators impersonated trusted contacts via ProtonMail, using a custom Adversary-in-the-Middle kit to harvest credentials and relay 2FA prompts through compromised sites and redirectors. Observed tactics included a ZIP disguised as a .pdf, decoy encrypted PDFs instructing victims to open files in ProtonDrive, injected JavaScript to lock password-field focus, and an API-driven workflow for handling CAPTCHA and 2FA challenges, underscoring continued risk to Western organizations supporting Ukraine.
read more →

Oversharing Risks: Employees Posting Too Much Online

🔒 Professionals routinely share work-related details on platforms such as LinkedIn, GitHub and consumer networks like Instagram and X, creating a public intelligence trove that attackers readily exploit. Job titles, project names, vendor relationships, commit metadata and travel plans are commonly weaponised into spearphishing, BEC and deepfake-enabled schemes. Organisations should emphasise security awareness, implement clear social media policies, enforce MFA and password managers, actively monitor public accounts and run red-team exercises to validate controls.
read more →

Tomiris Shifts to Public Services for C2 Evasion Tactics

🛡️ Kaspersky researchers report that the Tomiris threat actor has increasingly used legitimate public services such as Telegram and Discord as command-and-control channels to blend malicious traffic with benign activity. The campaign relies on tailored spear-phishing with password-protected RAR attachments, multi-language implants, and open-source C2 frameworks like Havoc and AdaptixC2. Targeting focuses on Russian-speaking governmental and diplomatic entities across Central Asia and Russia, enabling long-term persistence and covert intelligence collection.
read more →

Bloody Wolf Expands Java-Based NetSupport Campaign Regionally

🐺 Group-IB and Ukuk report that the actor known as Bloody Wolf has conducted spear-phishing campaigns since June 2025 targeting Kyrgyzstan and, by October 2025, expanded into Uzbekistan to deliver NetSupport RAT. Attackers impersonate government ministries using malicious PDFs that host Java Archive (JAR) loaders built for Java 8, instructing victims to install Java so the loader can execute. The loader fetches the NetSupport payload and establishes persistence via scheduled tasks, registry entries, and a startup batch script in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
read more →

Bloody Wolf APT Expands NetSupport Campaign in Central Asia

🔎 Researchers at Group-IB and UKUK have identified a widening campaign by the Bloody Wolf APT that uses streamlined Java-based loaders to deliver NetSupport remote administration software to government targets. The operation, active since late 2023 and observed in Kyrgyzstan from at least June 2025 before spreading to Uzbekistan in early October, relies on convincing PDF lures, spoofed domains and geofenced infrastructure. Simple Java 8 loaders fetch NetSupport over HTTP, add persistence via autorun entries and scheduled tasks, display fake error messages, and include a launch-limit counter to limit execution and avoid detection. The group has shifted from using STRRAT to deploying an older 2013 build of NetSupport Manager and uses a custom JAR generator to mass-produce variants.
read more →

Influencers Targeted by Cybercriminals: Account Risks

🔒 Social media influencers are increasingly attractive targets for cybercriminals who hijack trusted accounts to distribute scams, malware and fraudulent offers. Attackers use spearphishing, credential stuffing, brute-force attacks and SIM swapping, and AI is making those lures more convincing. Compromised accounts may be sold or used to push crypto and investment scams, exfiltrate follower data or extort victims. Practical defences include long, unique passwords, app-based 2FA, phishing awareness, device separation and up-to-date security software.
read more →

SpearSpecter: APT42 Targets Defense and Government

🛡️ The Israel National Digital Agency (INDA) has attributed a new espionage campaign codenamed SpearSpecter to Iranian state‑aligned APT42, active since September 2025 against senior defense and government officials and their family members. Operators employ tailored social engineering—invites to conferences and impersonated WhatsApp contacts—to deliver a WebDAV‑served .LNK via the search‑ms: handler that retrieves a batch script and stages the TAMECAT PowerShell backdoor. TAMECAT uses HTTPS, Discord, and Telegram for command-and-control, supports modular data‑theft capabilities (browser and Outlook exfiltration, screenshots), and relies on Cloudflare Workers, LOLBins, in‑memory execution, and obfuscation to maintain persistent, stealthy access.
read more →

China-aligned UTA0388 leverages AI in GOVERSHELL attacks

📧 Volexity has linked a series of spear-phishing campaigns from June to August 2025 to a China-aligned actor tracked as UTA0388. The group used tailored, rapport-building messages impersonating senior researchers and delivered archive files that contained a benign-looking executable alongside a hidden malicious DLL loaded via search order hijacking. The distributed malware family, labeled GOVERSHELL, evolved through five variants capable of remote command execution, data collection and persistence, shifting communications from simple shells to encrypted WebSocket and HTTPS channels. Linguistic oddities, mixed-language messages and bizarre file inclusions led researchers to conclude LLMs likely assisted in crafting emails and possibly code.
read more →

Trojanized ESET Installers Deliver Kalambur Backdoor

🛡️ A Russia-aligned cluster tracked as InedibleOchotense impersonated Slovak vendor ESET in May 2025, sending spear-phishing emails and Signal messages to multiple Ukrainian organizations. Recipients were directed to domains such as esetsmart[.]com hosting a trojanized installer that deployed the legitimate ESET AV Remover alongside a C# backdoor dubbed Kalambur (aka SUMBUR). Kalambur leverages the Tor network for command-and-control and can install OpenSSH and enable RDP on port 3389 to facilitate remote access. ESET links the campaign to Sandworm sub-clusters and notes overlaps with activity reported by CERT-UA and EclecticIQ.
read more →