top of page
ALL POSTS
Passwordless Phishing: How Attackers Hijack Microsoft 365 Through Device Code Authentication
Key Findings A sophisticated phishing-as-a-service kit called EvilTokens exploits Microsoft's legitimate OAuth 2.0 device authorization flow to hijack Microsoft 365 accounts without stealing passwords Attackers trick victims into entering a device code on a real Microsoft login page, which grants the attacker valid access tokens to the compromised account The attack bypasses traditional phishing detection methods by using genuine Microsoft authentication pages, eliminating fa
Jun 204 min read
Phishing Attacks Surge Across Fortune 100: Employee Data Exposed at 86% of Companies
Key Findings 86% of Fortune 100 companies had employee data exposed through phishing attacks in the past 12 months 78% of large organizations experienced increased phishing volume over the past year 84% report AI-generated phishing attacks are becoming more prevalent or harder to defend against Phishing attacks now target enterprise users five times more frequently than malware infections Only 38% of organizations can confidently detect and respond to credential theft within
Jun 172 min read
China-Linked TA4922 Hackers Deploy SilentRunLoader Malware Against UK and European Targets
Key Findings TA4922, a suspected China-aligned cybercrime group, has expanded operations from East Asia to target organisations in the UK, Germany, Italy, and South Africa The group uses locally-tailored phishing emails impersonating tax authorities, benefits services, and government agencies to increase open rates SilentRunLoader, a new Python-based malware likely developed with LLM assistance, steals Chrome credentials, cookies, and browsing data TA4922 employs a diverse to
Jun 32 min read
Fileless Infostealer Attacks Target Claude Code Users Through Counterfeit Anthropic Platforms
Key Findings Active credential theft campaign targeting Claude Code users exploiting rapid AI tool adoption Attack chain begins with SEO poisoning directing victims to spoofed Anthropic installation pages Fileless infostealer uses MP3/HTA polyglot payload and in-memory execution to evade detection Command and control infrastructure routes through Russian IP infrastructure at 185.177.239.255 Anthropic's systems have not been compromised; attack targets individual users lacking
May 313 min read
Signal Users Targeted in Coordinated Phishing Campaign to Steal Backup Recovery Keys
Key Findings Attackers are conducting a coordinated phishing campaign targeting Signal users by impersonating Signal Support via text messages The campaign specifically seeks backup recovery keys, which decrypt entire message archives stored on Signal's servers, not just future communications Journalists, activists, and human rights workers are confirmed targets, with reports of campaigns against Chinese activists and German officials A 64-character recovery key grants access
May 303 min read
ChatGPT Web Summary Vulnerability Enables Phishing Attacks Through Malicious Page Redirects
Key Findings Permiso Security discovered ChatGPhish, a vulnerability in ChatGPT that exploits the AI's trust in Markdown links and images to enable prompt injection and phishing attacks Attackers can embed malicious payloads in web pages that ChatGPT summarizes, causing automatic image fetching that leaks user IP addresses, User-Agent data, and Referer information The vulnerability transforms ChatGPT's response interface into a phishing surface by rendering malicious links, f
May 304 min read
Cloud Atlas: Upcoming Operations, New Tools, and Payload Deployments (2025-2026)
Key Findings Cloud Atlas, active since 2014, conducted pervasive SSH tunnel operations affecting government and commercial organizations in Russia and Belarus throughout late 2025 and into 2026 The group introduced new tools and malicious payloads, including VBCloud and PowerShower backdoors Primary infection vector remains phishing with ZIP archives containing malicious LNK shortcuts that execute PowerShell scripts Multi-stage attack chain includes persistence mechanisms, de
May 233 min read
FBI Alert: Kali365 Phishing Kit Rapidly Targeting Microsoft 365 Users
Key Findings FBI issued public service announcement about Kali365, a phishing-as-a-service platform targeting Microsoft 365 users since April 2026 Platform bypasses multi-factor authentication by abusing OAuth device code authorization flows Kali365 lowers technical barriers for cybercriminals by providing AI-generated phishing lures, automated templates, and real-time tracking dashboards Captured OAuth tokens grant persistent access to Microsoft 365 accounts, enabling data t
May 223 min read
INTERPOL Operation Ramz: Major Cybercrime Crackdown Across MENA Results in 201 Arrests
Key Findings INTERPOL coordinated Operation Ramz across 13 MENA countries from October 2025 to February 2026, resulting in 201 arrests and 382 additional suspects identified Nearly 8,000 intelligence records were shared between participating nations, marking the largest coordinated cybercrime effort INTERPOL has led in the region Authorities identified 3,867 victims and seized 53 servers involved in phishing, malware, and cyber scam operations Private sector partners includin
May 192 min read
Scammers Impersonate Ledger with Physical Phishing Letters Targeting Wallet Seeds
Key Findings Scammers are sending physical letters impersonating Ledger, a major hardware wallet manufacturer, to steal cryptocurrency recovery seed phrases The fraudulent letters include official-looking branding, reference numbers, and fake security warnings about a "Quantum Resistance" update with a deadline Letters are localized by region, with documented examples in Italian targeting customers in Italy, suggesting attackers have access to customer data organized by locat
May 173 min read
Ghostwriter Group Escalates Attacks on Ukrainian Government With Geofenced PDF Phishing and Cobalt Strike
Key Findings ESET discovered new Ghostwriter (FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026 The threat actor is linked to the government of Belarus and has operated since at least 2016 under multiple aliases including UNC1151, UAC-0057, and Umbral Bison Attacks begin with spear-phishing emails containing PDFs impersonating Ukrtelecom, Ukraine's main telecommunications provider A geofencing mechanism delivers harmle
May 154 min read
Google AppSheet Used to Compromise 30,000 Facebook Accounts in Phishing Campaign
Key Findings Vietnamese-linked operation "AccountDumpling" compromised over 30,000 Facebook accounts using Google AppSheet infrastructure Phishing emails bypassed authentication checks by originating from legitimate Google servers (noreply@appsheet.com and appsheet.bounces.google.com) Four distinct attack clusters employed different social engineering methods including fake help centers, incentive offers, interactive PDFs, and fake job recruitment Stolen data funneled through
May 23 min read
Chinese Spy Infiltrates NASA Through Phishing Campaign to Steal Defense Software
Key Findings Chinese national Song Wu conducted a multi-year spear-phishing campaign impersonating U.S. aerospace researchers between 2017 and 2021 Targets included NASA, U.S. military, government agencies, universities, and private companies Wu obtained export-controlled software and source code for aerospace engineering and computational fluid dynamics applications The stolen technology has potential applications in advanced tactical missile development and weapons assessme
Apr 272 min read
ADT – 5,488,888 Accounts Breached
Key Findings ShinyHunters conducted two major "pay or leak" extortion campaigns in April 2026 targeting ADT and Udemy ADT breach exposed 5.5 million unique email addresses plus names, phone numbers, and physical addresses Small percentage of ADT records also contained dates of birth and last four digits of Social Security numbers or Tax IDs Udemy breach exposed 1.4 million unique email addresses belonging to customers and instructors Udemy data included names, addresses, phon
Apr 272 min read
UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Distribute SNOW Malware
Key Findings UNC6692 is a previously undocumented threat group using Microsoft Teams to impersonate IT helpdesk staff and deploy custom SNOW malware Attack chain begins with email bombing campaigns followed by Teams-based social engineering to build false urgency Victims are tricked into clicking phishing links that download AutoHotkey scripts deploying SNOWBELT browser extension SNOW malware ecosystem is modular, including SNOWBELT backdoor, SNOWGLAZE tunneler, and SNOWBASIN
Apr 242 min read
Identity-Based Attacks: How Adversaries Bypass Security by Walking Through the Front Door
Key Findings Stolen credentials remain the most reliable initial access vector for attackers, despite industry focus on zero-days and sophisticated exploits Identity-based attacks are accelerating due to AI automation of credential testing, custom tooling development, and phishing sophistication Traditional linear incident response models fail against real-world breaches that evolve and expand unpredictably The Dynamic Approach to Incident Response (DAIR) uses iterative loops
Apr 213 min read
Four New Android Malware Families Target 800+ Apps Globally
Key Findings Four new Android malware families identified by Zimperium zLabs: RecruitRat, SaferRat, Astrinox, and Massiv Campaigns actively targeting over 800 banking and cryptocurrency applications Malware employs overlay attacks to steal credentials and sensitive data Capable of intercepting one-time passwords and recording screen activity Distribution methods include phishing, smishing, and fake job recruitment sites Background Zimperium zLabs cybersecurity researchers hav
Apr 182 min read
PowMix Botnet Targets Czech Workforce with Randomized Command-and-Control Traffic
Key Findings PowMix botnet has been actively targeting Czech workforce since at least December 2025 with previously undocumented malware Campaign uses randomized C2 beaconing intervals and encrypted heartbeat data embedded in REST API-mimicking URLs to evade detection Multi-stage attack chain initiated via phishing emails containing malicious ZIP files with Windows Shortcut (LNK) files PowerShell loader employs AMSI bypass techniques to execute botnet payload directly in memo
Apr 164 min read
n8n Webhooks Exploited Since October 2025 in Malware Distribution Campaign
Key Findings Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains Email volume containing these URLs increased 686% from January 2025 to March 2026 Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels Attack
Apr 162 min read
Mirax Malware Campaign Compromises 220,000 Accounts With Complete Remote Access Capabilities
Key Findings Mirax, a new Android RAT, infected over 220,000 users primarily in Spanish-speaking regions through Meta platform advertisements The malware grants attackers full remote control of devices and converts them into SOCKS5 residential proxies for routing malicious traffic Distribution uses a multi-stage attack combining phishing sites, fake streaming apps, and GitHub-hosted droppers with strong obfuscation Mirax operates as an exclusive malware-as-a-service limited t
Apr 153 min read
bottom of page
