ALL POSTS

Key Findings: German security agencies BfV and BSI have issued a joint advisory warning of a malicious cyber campaign targeting high-ranking individuals in politics, military, diplomacy, and investigative journalism in Germany and Europe. The campaign involves phishing attacks over the Signal messaging app, aiming to gain unauthorized access to victims' accounts and compromise their confidential communications. The attacks do not involve malware or technical vulnerabilities,

Key Findings Exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant. Background Cisco Talos Incident Response's report fo

Key Findings: Ongoing campaign targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage operation Phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive Malware known as Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM used as the final payload Sophisticated attack involving anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurp

Key Findings: The North Korean threat actor Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations. Konni, also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia, has been

Key Findings Attackers are impersonating LastPass in an active phishing campaign that aims to steal users' master passwords. The phishing emails claim there is urgent LastPass maintenance and urge users to back up their password vaults within 24 hours. The malicious emails use subject lines referencing infrastructure updates, vault security, and missed deadlines to trick victims. The phishing links lead to an Amazon S3–hosted page that redirects to a fake LastPass site design

Key Findings Microsoft, in collaboration with law enforcement authorities, has taken coordinated legal action to disrupt the cybercrime subscription service called RedVDS, which has allegedly fueled millions in fraud losses. RedVDS provided criminals with access to disposable virtual computers running unlicensed software, enabling them to operate anonymously and carry out various illicit activities, including phishing, business email compromise (BEC), and financial fraud. Sin

Key Findings The FBI warns that the North Korea-linked advanced persistent threat (APT) group Kimsuky is targeting governments, think tanks, and academic institutions with "quishing" attacks. Quishing is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware. Kimsuky has conducted spear-phishing campaigns using QR codes that impersonate trusted figures like foreign advisors, embassy staff, and think tank em

Key Findings: A massive data breach has exposed the personal information of about 17.5 million Instagram users. The exposed data includes usernames, physical addresses, phone numbers, and email addresses. Cybercriminals have stolen this sensitive information and are selling it in batches on dark web forums. Affected users have reported receiving password reset emails, raising concerns about ongoing phishing attempts. Security experts warn this breach poses serious privacy and

Key Findings Russian state-sponsored threat group APT28 (aka BlueDelta) linked to a fresh wave of credential harvesting attacks Targeting individuals associated with a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan Campaign leverages sophisticated phishing techniques to compromise accounts and steal user credentials Background APT28 is associated with the Main Directorate of the General Staff of the Armed

Key Findings Threat actors are exploiting misconfigured email routing and spoof protection to impersonate organizations' internal domains and distribute phishing emails. These phishing campaigns leverage phishing-as-a-service (PhaaS) platforms like Tycoon 2FA, delivering a variety of lures related to voicemails, shared documents, HR communications, and password resets. The attack vector is not new, but Microsoft has observed a surge in its usage since May 2025, targeting a wi

Key Findings Cybersecurity researchers have uncovered a phishing campaign that abuses Google Cloud Application Integration to send emails impersonating legitimate Google messages. The campaign used layered redirection, trusted cloud services, user validation checks, and brand impersonation to evade detection and increase phishing success. Over a two-week period, the researchers observed nearly 9,400 phishing emails targeting approximately 3,200 customers across various indust

Key Points The cybercrime group known as Silver Fox has shifted its focus to Indian users, using income tax-themed phishing emails to distribute the ValleyRAT remote access trojan. Silver Fox is a Chinese hacking group that has been active since 2022, targeting Chinese-speaking individuals and organizations initially, but has now expanded its victimology to include Indian users. The phishing emails contain malicious PDF attachments that lead victims to download a ZIP file con

Key Findings A Russia-aligned threat group, tracked as UNK_AcademicFlare, has been conducting phishing campaigns that abuse Microsoft 365 device code authentication workflows to steal victims' credentials and take over accounts. The attacks, ongoing since September 2025, target government, military, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary uses compromised email addresses belonging to government and military organizations

Key Findings: Sophisticated phishing campaign targeting Russian finance sector, using high-quality social engineering to bypass defenses. Malware dubbed "Phantom Stealer" deployed via malicious ISO files attached to phishing emails. Phantom Stealer equipped with aggressive data-harvesting modules targeting crypto wallets, chat apps, and browser data. Malware includes anti-analysis checks to evade security researchers. Campaign highlights shift towards ISO-based initial access

Key Findings Four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman are capable of facilitating credential theft at scale. BlackForce is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). GhostFrame uses an iframe-based approach to hide its malicious behavior and easily switch out phishing content. InboxPrime AI leverages artificial intelligen

Key Findings: Adversaries continue to use GenAI with varying levels of reliance, with state-sponsored groups and criminal organizations taking advantage of uncensored and unweighted models. Threat actors are using GenAI for coding, phishing, anti-analysis/evasion, and vulnerability discovery, although significant human involvement is still required. As models continue to shrink and hardware requirements are removed, adversarial access to GenAI and its capabilities are poised

Key Findings Phishing attacks have surged 400% year-over-year, with nearly 40% of the 28+ million recaptured phished records containing a business email address, compared to just 11.5% in recaptured malware data. Enterprises are now three times more likely to be targeted with phishing attacks than infostealer malware. Phishing has become the preferred gateway into enterprise environments, and is now the leading entry point for ransomware, accounting for 35% of all ransomware

Key Findings Microsoft Teams' "Guest Access" feature allows attackers to bypass security controls like Microsoft Defender for Office 365, creating a "protection-free zone" for malware delivery. Attackers can easily create basic Microsoft 365 accounts without security features and use them to send phishing links and malware to guest users. A recent Microsoft feature that allows any Teams user to start a chat with any email address makes it even easier for attackers to lure vic