top of page
ALL POSTS
JanelaRAT: Financial Malware Targeting Latin American Banks with Thousands of Attacks in 2025
Key Findings JanelaRAT is a modified BX RAT variant targeting financial institutions across Latin America, with 14,739 recorded attacks in Brazil and 11,695 in Mexico during 2025 The malware uses a custom title bar detection mechanism to identify banking websites and execute fraudulent actions in real-time Initial infection relies on phishing emails mimicking invoice notifications, leading to multi-stage infection chains using MSI installers and DLL side-loading Recent campai
Apr 133 min read
AITM Phishing Campaign Targets TikTok Business Accounts with Cloudflare Evasion Tactics
Key Findings Push Security identified a new AITM phishing campaign targeting TikTok for Business accounts to hijack them for malvertising and fraud Attackers use fake TikTok and Google-themed pages with Cloudflare Turnstile bot protection to bypass security scanners Newly registered domains are created rapidly and hosted behind Cloudflare, making them difficult to track Compromised accounts are used for malvertising, credential theft, malware distribution, and ad fraud Many u
Mar 272 min read
Ghost Campaign: Malicious npm Packages Target Crypto Wallets and Credentials Through Deceptive Installation Methods
Key Findings Seven malicious npm packages tracked as "Ghost campaign" designed to steal cryptocurrency wallets and credentials Packages use sophisticated social engineering tactics including fake installation logs and sudo password phishing Attack chain culminates in remote access trojan capable of harvesting sensitive data and awaiting attacker commands Activity shares overlap with GhostClaw campaign, suggesting possible connection between threat actors Packages published un
Mar 253 min read
Fake Resumes and Malicious npm Packages: New Attack Vector Targeting Enterprise Credentials and Crypto Assets
Key Findings Campaign named FAUX#ELEVATE targets French-speaking corporate environments using fake resume documents delivered via phishing emails Heavily obfuscated VBScript files contain only 266 lines of executable code out of 224,471 total lines, with the rest being junk comments to evade detection Attack completes full infection chain in approximately 25 seconds, from initial execution through credential exfiltration Malware exclusively targets domain-joined enterprise ma
Mar 243 min read
Russian Intelligence Suspected in WhatsApp and Signal Phishing Campaign Targeting Mass Users
Key Findings Russian Intelligence Services-linked actors are conducting phishing campaigns targeting Signal and WhatsApp accounts of high-value targets including U.S. government officials, military personnel, politicians, and journalists Thousands of accounts have already been compromised worldwide through these operations Attackers bypass encryption by hijacking accounts rather than breaking encryption itself, using phishing to trick users into sharing verification codes or
Mar 223 min read
FBI Warns: Russian Hackers Targeting Secure Messaging Apps
Key Findings * Russian-aligned hackers targeting commercial messaging apps * Phishing campaigns compromising thousands of high-value accounts * Attacks do not break encryption, but exploit social engineering * Targets include government officials, military personnel, journalists * Methods involve tricking users into sharing verification codes or clicking malicious links Background Russian state-affiliated threat actors are conducting sophisticated phishing campaigns against p
Mar 221 min read
New .NET AOT Malware Conceals Code in Stealthy Black Box Architecture
Key Findings * New .NET AOT malware campaign discovered by Howler Cell researchers * Uses Ahead-of-Time (AOT) compilation to evade standard security detection * Multi-stage attack with sophisticated evasion techniques * Targets individual systems through phishing emails * Employs complex scoring system to determine victim validity Background The emergence of this malware represents a sophisticated evolution in cyberthreat techniques. Traditional malware detection relies on an
Mar 191 min read
Cloudflare Human Check Exploited by Hackers to Conceal Microsoft 365 Phishing Sites
Key Findings * Attackers are exploiting Cloudflare's human verification system to hide phishing pages * Custom virtual machine function used to obfuscate malicious code * Targets Microsoft 365 login credentials * Employs sophisticated evasion techniques against security scanners * Uses location-based filtering to block security researchers Background Cybercriminals have developed an innovative method of hiding phishing websites by leveraging Cloudflare's Turnstile verificatio
Mar 132 min read
Microsoft Warns of ClickFix Using Windows Terminal to Distribute Lumma Stealer
Key Findings: Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections. Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures. The malicious payload downloads and executes a multi-st
Mar 62 min read
Dust Specter APT Targets Iraqi Government Officials with New AI-Assisted Malware
Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu
Mar 62 min read
Europol-Led Operation Disrupts Tycoon 2FA Phishing Scheme Linked to Thousands of Attacks
Key Findings Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform, was dismantled by a coalition of law enforcement agencies and security companies led by Europol. The subscription-based phishing kit, which emerged in August 2023, was described as one of the largest phishing operations worldwide. Tycoon 2FA's primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan. The platform enabled thousands of cybercriminals to covertly access email a
Mar 62 min read
APT28-Linked Campaign Targets Ukraine with Malware Threats
Key Findings: A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28. The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow. Background T
Mar 52 min read
Malware Attacks: Russian APT Targets Ukraine with BadPaw and MeowMeow
Key Findings Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain. The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing th
Mar 52 min read
Silver Dragon: APT41-Linked Threat Targeting Governments with Cobalt Strike and Google Drive C2
Key Findings Silver Dragon, an APT group linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. The group gains initial access by exploiting public-facing internet servers and delivering phishing emails with malicious attachments. Silver Dragon uses techniques like Cobalt Strike beacons and DNS tunneling for persistence and command-and-control (C2) communication. The group employs multiple infection chains, including AppDomain hij
Mar 42 min read
Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication
Key Findings: Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections. Starkiller is advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard to impersonate brands or enter a brand's real URL. The platform lets users choose custom keywords and integrates URL shorteners to obscure the destin
Mar 33 min read
Germany Warns of Signal Phishing Attacks Targeting Politicians, Military, Journalists
Key Findings: German security agencies BfV and BSI have issued a joint advisory warning of a malicious cyber campaign targeting high-ranking individuals in politics, military, diplomacy, and investigative journalism in Germany and Europe. The campaign involves phishing attacks over the Signal messaging app, aiming to gain unauthorized access to victims' accounts and compromise their confidential communications. The attacks do not involve malware or technical vulnerabilities,
Feb 72 min read
Im Locked In: A Tale of Unexpected Confinement
Key Findings Exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant. Background Cisco Talos Incident Response's report fo
Jan 292 min read
Targeted Indian Users in Tax Phishing Campaign Delivering Blackmoon Malware
Key Findings: Ongoing campaign targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage operation Phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive Malware known as Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM used as the final payload Sophisticated attack involving anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurp
Jan 262 min read
Konni Hackers Target Blockchain Developers with AI-Generated PowerShell Backdoor
Key Findings: The North Korean threat actor Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations. Konni, also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia, has been
Jan 263 min read
Crooks Impersonate LastPass in Scheme to Harvest Master Passwords
Key Findings Attackers are impersonating LastPass in an active phishing campaign that aims to steal users' master passwords. The phishing emails claim there is urgent LastPass maintenance and urge users to back up their password vaults within 24 hours. The malicious emails use subject lines referencing infrastructure updates, vault security, and missed deadlines to trick victims. The phishing links lead to an Amazon S3–hosted page that redirects to a fake LastPass site design
Jan 212 min read
bottom of page
