All news with #spear phishing tag

🔒 Professionals routinely share work-related details on platforms such as LinkedIn, GitHub and consumer networks like Instagram and X, creating a public intelligence trove that attackers readily exploit. Job titles, project names, vendor relationships, commit metadata and travel plans are commonly weaponised into spearphishing, BEC and deepfake-enabled schemes. Organisations should emphasise security awareness, implement clear social media policies, enforce MFA and password managers, actively monitor public accounts and run red-team exercises to validate controls.

🛡️ Kaspersky researchers report that the Tomiris threat actor has increasingly used legitimate public services such as Telegram and Discord as command-and-control channels to blend malicious traffic with benign activity. The campaign relies on tailored spear-phishing with password-protected RAR attachments, multi-language implants, and open-source C2 frameworks like Havoc and AdaptixC2. Targeting focuses on Russian-speaking governmental and diplomatic entities across Central Asia and Russia, enabling long-term persistence and covert intelligence collection.

🐺 Group-IB and Ukuk report that the actor known as Bloody Wolf has conducted spear-phishing campaigns since June 2025 targeting Kyrgyzstan and, by October 2025, expanded into Uzbekistan to deliver NetSupport RAT. Attackers impersonate government ministries using malicious PDFs that host Java Archive (JAR) loaders built for Java 8, instructing victims to install Java so the loader can execute. The loader fetches the NetSupport payload and establishes persistence via scheduled tasks, registry entries, and a startup batch script in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.

🔎 Researchers at Group-IB and UKUK have identified a widening campaign by the Bloody Wolf APT that uses streamlined Java-based loaders to deliver NetSupport remote administration software to government targets. The operation, active since late 2023 and observed in Kyrgyzstan from at least June 2025 before spreading to Uzbekistan in early October, relies on convincing PDF lures, spoofed domains and geofenced infrastructure. Simple Java 8 loaders fetch NetSupport over HTTP, add persistence via autorun entries and scheduled tasks, display fake error messages, and include a launch-limit counter to limit execution and avoid detection. The group has shifted from using STRRAT to deploying an older 2013 build of NetSupport Manager and uses a custom JAR generator to mass-produce variants.

🔒 Social media influencers are increasingly attractive targets for cybercriminals who hijack trusted accounts to distribute scams, malware and fraudulent offers. Attackers use spearphishing, credential stuffing, brute-force attacks and SIM swapping, and AI is making those lures more convincing. Compromised accounts may be sold or used to push crypto and investment scams, exfiltrate follower data or extort victims. Practical defences include long, unique passwords, app-based 2FA, phishing awareness, device separation and up-to-date security software.

🛡️ The Israel National Digital Agency (INDA) has attributed a new espionage campaign codenamed SpearSpecter to Iranian state‑aligned APT42, active since September 2025 against senior defense and government officials and their family members. Operators employ tailored social engineering—invites to conferences and impersonated WhatsApp contacts—to deliver a WebDAV‑served .LNK via the search‑ms: handler that retrieves a batch script and stages the TAMECAT PowerShell backdoor. TAMECAT uses HTTPS, Discord, and Telegram for command-and-control, supports modular data‑theft capabilities (browser and Outlook exfiltration, screenshots), and relies on Cloudflare Workers, LOLBins, in‑memory execution, and obfuscation to maintain persistent, stealthy access.

📧 Volexity has linked a series of spear-phishing campaigns from June to August 2025 to a China-aligned actor tracked as UTA0388. The group used tailored, rapport-building messages impersonating senior researchers and delivered archive files that contained a benign-looking executable alongside a hidden malicious DLL loaded via search order hijacking. The distributed malware family, labeled GOVERSHELL, evolved through five variants capable of remote command execution, data collection and persistence, shifting communications from simple shells to encrypted WebSocket and HTTPS channels. Linguistic oddities, mixed-language messages and bizarre file inclusions led researchers to conclude LLMs likely assisted in crafting emails and possibly code.

🛡️ A Russia-aligned cluster tracked as InedibleOchotense impersonated Slovak vendor ESET in May 2025, sending spear-phishing emails and Signal messages to multiple Ukrainian organizations. Recipients were directed to domains such as esetsmart[.]com hosting a trojanized installer that deployed the legitimate ESET AV Remover alongside a C# backdoor dubbed Kalambur (aka SUMBUR). Kalambur leverages the Tor network for command-and-control and can install OpenSSH and enable RDP on port 3389 to facilitate remote access. ESET links the campaign to Sandworm sub-clusters and notes overlaps with activity reported by CERT-UA and EclecticIQ.

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.

🚚 Proofpoint warns of a spear‑phishing campaign targeting North American freight firms that installs remote monitoring and access tools to enable cargo theft. Actors compromise broker load boards, insert themselves into carrier email threads, or pose as brokers to deliver signed installers that harvest credentials and establish persistent access. The attackers have deployed a range of RMM/RAS solutions (for example ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N‑able, and LogMeIn Resolve) and use them to bid on or reroute high‑value loads; Proofpoint urges blocking unauthorized RMMs, enforcing endpoint/network detection and MFA, disallowing external executables, and expanding phishing awareness training.

🛡️Arctic Wolf reports that Chinese government-linked actors, tracked as UNC6384 and linked to the longer-running Mustang Panda cluster, conducted spear-phishing campaigns in September and October targeting diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands by abusing a long-known Windows .LNK shortcut parsing flaw. The vulnerability allows command-line instructions to be concealed in .LNK whitespace so attackers can display decoy PDFs—such as an agenda for a European Commission meeting—while executing payloads that deploy the PlugX remote-access Trojan. Trend Micro and ZDI previously documented the issue (i.e., ZDI-CAN-25373, later CVE-2025-9491), but Microsoft has so far declined to fully patch it; Arctic Wolf advises blocking or disabling .LNK execution, monitoring for related binaries like cnmpaui.exe, and blocking C2 domains as interim mitigations.

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.

🔎 Researchers at Arctic Wolf Labs uncovered a September–October 2025 cyber-espionage campaign that used a Windows shortcut vulnerability to target Belgian and Hungarian diplomatic entities. The operation, attributed to UNC6384 and likely tied to Mustang Panda (TEMP.Hex), combined spear phishing with malicious .LNK files exploiting ZDI-CAN-25373 and deployed a multi-stage chain ending in the PlugX RAT. Attackers used DLL side-loading, signed Canon utilities and obfuscated PowerShell to extract and execute an encrypted payload while displaying decoy diplomatic PDFs.

🚨 BlueNoroff, a North Korea–linked subgroup of the Lazarus Group, has reemerged with two focused campaigns—GhostCall and GhostHire—targeting executives, Web3 developers and blockchain professionals. Operators use social engineering on Telegram and LinkedIn to stage fake investor meetings and recruiter coding tests, then deliver multi-stage, cross-platform malware. Samples were found written in Go, Rust, Nim and AppleScript and deploy implants such as DownTroy, CosmicDoor and Rootroy to harvest crypto keys, credentials and project assets.

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.

🔐 Sekoia observed Transparent Tribe (APT36) conducting spear-phishing campaigns in Aug–Sep 2025 that deliver a Golang remote access trojan dubbed DeskRAT. The attacks use ZIP attachments containing malicious .desktop files that display a decoy PDF while executing the payload, specifically targeting BOSS Linux systems. DeskRAT establishes WebSocket C2, supports multiple persistence mechanisms, and includes modules for harvesting and exfiltrating WhatsApp and Chrome data. Researchers also reported the use of "stealth servers" and a shift from cloud-hosted distribution to dedicated staging infrastructure.

🔒SentinelOne reported a one-day spear-phishing campaign on October 8 that targeted aid organisations and Ukrainian regional administrations. The operation, named PhantomCaptcha, delivered a WebSocket RAT hosted on Russian-owned infrastructure and used weaponized PDFs and a fake Cloudflare CAPTCHA to trick victims into executing PowerShell. The multi-stage chain enabled data exfiltration, persistent remote access and potential deployment of additional malware.

📡 ESET researchers have uncovered a new Lazarus Group espionage campaign targeting European defense contractors, with a focus on companies involved in unmanned aerial vehicle (UAV) development since March 2025. The attackers used spear-phishing with fake job offers and trojanized open-source tools such as WinMerge and Notepad++ to deliver loaders and the custom RAT ScoringMathTea. The intrusion chain relied on DLL side-loading, reflective loading, and process injection to maintain persistence and exfiltrate design and supply-chain data. ESET has published IoCs and MITRE ATT&CK mappings to help defenders respond.

🛡️ European defense and aerospace firms are being targeted in a renewed Operation Dream Job campaign attributed to North Korean-linked Lazarus actors, ESET reports. Active since March 2025, attackers use social-engineering job lures and trojanized documents to deploy ScoringMathTea and MISTPEN-like downloaders such as BinMergeLoader that abuse Microsoft Graph API. The goal is theft of proprietary UAV manufacturing know‑how and related intellectual property.