< ciso
brief />
Tag Banner

All news with #spear phishing tag

118 articles · page 5 of 6

UNK_SmudgedSerpent Targets Academics and Policy Experts

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.
read more →

SmudgedSerpent Targets U.S. Policy Experts Amid Tensions

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.
read more →

Phishing and RMM Tools Enable Growing Cargo Thefts

🚚 Proofpoint warns of a spear‑phishing campaign targeting North American freight firms that installs remote monitoring and access tools to enable cargo theft. Actors compromise broker load boards, insert themselves into carrier email threads, or pose as brokers to deliver signed installers that harvest credentials and establish persistent access. The attackers have deployed a range of RMM/RAS solutions (for example ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N‑able, and LogMeIn Resolve) and use them to bid on or reroute high‑value loads; Proofpoint urges blocking unauthorized RMMs, enforcing endpoint/network detection and MFA, disallowing external executables, and expanding phishing awareness training.
read more →

Chinese Hackers Exploit Hard-to-Patch Windows Shortcut Flaw

🛡️Arctic Wolf reports that Chinese government-linked actors, tracked as UNC6384 and linked to the longer-running Mustang Panda cluster, conducted spear-phishing campaigns in September and October targeting diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands by abusing a long-known Windows .LNK shortcut parsing flaw. The vulnerability allows command-line instructions to be concealed in .LNK whitespace so attackers can display decoy PDFs—such as an agenda for a European Commission meeting—while executing payloads that deploy the PlugX remote-access Trojan. Trend Micro and ZDI previously documented the issue (i.e., ZDI-CAN-25373, later CVE-2025-9491), but Microsoft has so far declined to fully patch it; Arctic Wolf advises blocking or disabling .LNK execution, monitoring for related binaries like cnmpaui.exe, and blocking C2 domains as interim mitigations.
read more →

China-Linked UNC6384 Exploits Windows LNK Vulnerability

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.
read more →

Chinese-Linked Hackers Exploit Windows Shortcut Flaw

🔎 Researchers at Arctic Wolf Labs uncovered a September–October 2025 cyber-espionage campaign that used a Windows shortcut vulnerability to target Belgian and Hungarian diplomatic entities. The operation, attributed to UNC6384 and likely tied to Mustang Panda (TEMP.Hex), combined spear phishing with malicious .LNK files exploiting ZDI-CAN-25373 and deployed a multi-stage chain ending in the PlugX RAT. Attackers used DLL side-loading, signed Canon utilities and obfuscated PowerShell to extract and execute an encrypted payload while displaying decoy diplomatic PDFs.
read more →

BlueNoroff Returns with GhostCall and GhostHire Campaigns

🚨 BlueNoroff, a North Korea–linked subgroup of the Lazarus Group, has reemerged with two focused campaigns—GhostCall and GhostHire—targeting executives, Web3 developers and blockchain professionals. Operators use social engineering on Telegram and LinkedIn to stage fake investor meetings and recruiter coding tests, then deliver multi-stage, cross-platform malware. Samples were found written in Go, Rust, Nim and AppleScript and deploy implants such as DownTroy, CosmicDoor and Rootroy to harvest crypto keys, credentials and project assets.
read more →

SideWinder Adopts ClickOnce and PDF Lures in 2025 Campaign

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.
read more →

APT36 Targets Indian Government with Golang DeskRAT

🔐 Sekoia observed Transparent Tribe (APT36) conducting spear-phishing campaigns in Aug–Sep 2025 that deliver a Golang remote access trojan dubbed DeskRAT. The attacks use ZIP attachments containing malicious .desktop files that display a decoy PDF while executing the payload, specifically targeting BOSS Linux systems. DeskRAT establishes WebSocket C2, supports multiple persistence mechanisms, and includes modules for harvesting and exfiltrating WhatsApp and Chrome data. Researchers also reported the use of "stealth servers" and a shift from cloud-hosted distribution to dedicated staging infrastructure.
read more →

PhantomCaptcha spear-phishing targets NGOs and regions

🔒SentinelOne reported a one-day spear-phishing campaign on October 8 that targeted aid organisations and Ukrainian regional administrations. The operation, named PhantomCaptcha, delivered a WebSocket RAT hosted on Russian-owned infrastructure and used weaponized PDFs and a fake Cloudflare CAPTCHA to trick victims into executing PowerShell. The multi-stage chain enabled data exfiltration, persistent remote access and potential deployment of additional malware.
read more →

Lazarus Targets European Drone Makers in Espionage

📡 ESET researchers have uncovered a new Lazarus Group espionage campaign targeting European defense contractors, with a focus on companies involved in unmanned aerial vehicle (UAV) development since March 2025. The attackers used spear-phishing with fake job offers and trojanized open-source tools such as WinMerge and Notepad++ to deliver loaders and the custom RAT ScoringMathTea. The intrusion chain relied on DLL side-loading, reflective loading, and process injection to maintain persistence and exfiltrate design and supply-chain data. ESET has published IoCs and MITRE ATT&CK mappings to help defenders respond.
read more →

North Korean Hackers Target European Defense Firms

🛡️ European defense and aerospace firms are being targeted in a renewed Operation Dream Job campaign attributed to North Korean-linked Lazarus actors, ESET reports. Active since March 2025, attackers use social-engineering job lures and trojanized documents to deploy ScoringMathTea and MISTPEN-like downloaders such as BinMergeLoader that abuse Microsoft Graph API. The goal is theft of proprietary UAV manufacturing know‑how and related intellectual property.
read more →

Lazarus Group's Operation DreamJob Hits EU Drone Firms

🛡️ ESET attributes a March 2025 wave of cyber-espionage against three European defense firms to the North Korea-aligned Lazarus Group, describing it as a renewed phase of Operation DreamJob. Targets tied to UAV development were lured with convincing fake job offers that delivered trojanized PDF readers and chained loaders. The primary payload, ScoringMathTea, is a remote access Trojan that provides attackers full control, and researchers found malicious components disguised as legitimate open-source tools.
read more →

Lazarus Operation DreamJob Targets European Defense

🔍 North Korean-linked Lazarus actors ran an Operation DreamJob campaign in late March that targeted three European defense companies involved in UAV technology. Using fake recruitment lures, victims were tricked into installing trojanized open-source applications and plugins which loaded malicious payloads via DLL sideloading. Final-stage malware included the ScoringMathTea RAT, while an alternate chain used the BinMergeLoader (MISTPEN) to abuse Microsoft Graph API tokens. ESET published extensive IoCs to aid detection.
read more →

PhantomCaptcha ClickFix Attack Targets Ukraine Relief Orgs

🛡️ A one-day spearphishing campaign named PhantomCaptcha targeted Ukrainian regional government officials and multiple war-relief organizations on October 8, using malicious PDFs that linked to a fake Zoom domain and impersonated the President’s Office. According to SentinelLABS, the operation used a fake Cloudflare CAPTCHA to trick victims into copying and pasting a token into the Windows Command Prompt, which executed a PowerShell downloader and deployed a WebSocket RAT. The lightweight RAT provided remote command execution and data exfiltration capabilities, and researchers found follow-on activity delivering spyware-laced Android APKs to users in Lviv.
read more →

From HealthKick to GOVERSHELL: UTA0388's Malware Evolution

🔎 Volexity attributes a series of tailored spear‑phishing campaigns to a China‑aligned actor tracked as UTA0388, which delivers a Go-based implant named GOVERSHELL. The waves used multilingual, persona-driven lures and legitimate cloud hosting (Netlify, Sync, OneDrive) to stage ZIP/RAR archives that deploy DLL side‑loading and a persistent backdoor. As many as five GOVERSHELL variants emerged between April and September 2025, succeeding an earlier C++ family called HealthKick. Volexity also observed the actor abusing LLMs such as ChatGPT to craft phishing content and automate workflows.
read more →

Cavalry Werewolf Targets Russian Public Sector with RATs

🚨 BI.ZONE warns of a campaign dubbed Cavalry Werewolf that has targeted Russian state agencies and critical industrial sectors using FoalShell and StallionRAT. Attackers used spear-phishing with spoofed Kyrgyz government emails and RAR attachments to deploy lightweight reverse shells and a RAT that exfiltrates data via a Telegram bot. Observed tooling and Telegram commands indicate organized post-compromise operations and use of socks proxies for lateral movement. BI.ZONE links the activity to groups including Tomiris and YoroTrooper, suggesting possible Kazakhstan ties.
read more →

Extortion Emails Target Executives Claiming Clop Ties

📧 An individual or group claiming to work with the Clop ransomware gang has been sending extortion emails to executives at multiple organizations since September 29, according to Google. Researchers at Mandiant and the Google Threat Intelligence Group are investigating and report a high-volume campaign launched from hundreds of compromised accounts, with at least one account previously linked to FIN11. The messages include contact information that matches addresses on the Clop data leak site, suggesting the actor may be leveraging Clop's brand; however, investigators emphasize this does not prove direct Clop involvement and advise targeted organizations to search for indicators of compromise.
read more →

Confucius Targets Pakistan with WooperStealer and Anondoor

🔒 Fortinet researchers attribute a renewed phishing campaign to Confucius, which has repeatedly targeted Pakistani government, military, and defense industry recipients using spear‑phishing and malicious documents. Attack chains observed from December 2024 through August 2025 delivered WooperStealer via DLL side‑loading using .PPSX and .LNK lures, and later introduced a Python implant, Anondoor. The group layered obfuscation and swapped tools and infrastructure to sustain credential theft, screenshot capture, file enumeration, and persistent exfiltration while evading detection.
read more →

Confucius Espionage: Evolution from Stealer to Backdoor

🔐 FortiGuard Labs documents the Confucius espionage group’s shift from document-stealing malware to a stealthy Python-based backdoor targeting Microsoft Windows. Recent campaigns used spear-phishing with weaponized Office PPSX files, malicious LNK loaders, and staged PowerShell installers to deploy runtimes and execute AnonDoor modules. The actor leveraged DLL side-loading, scheduled tasks, and HKCU registry Load persistence to maintain stealth and periodic execution. Fortinet urges layered defenses, updated signatures, and user training to mitigate these threats.
read more →