top of page
ALL POSTS
UNC3753 Escalates Campaign Against US Legal Firms: Vishing, Remote Access Tools, and Physical Intrusions
Key Findings UNC3753 (Luna Moth, Chatty Spider, Silent Ransom Group) conducted extortion campaign targeting US legal, financial, and professional services firms from January to May 2026 Attack chain relies entirely on social engineering and voice phishing with no malware or ransomware involved Threat actors escalated tactics to include physical office intrusions where operatives pose as IT technicians and insert USB drives to steal data Stolen data typically includes tax reco
Jun 83 min read
Google AppSheet Used to Compromise 30,000 Facebook Accounts in Phishing Campaign
Key Findings Vietnamese-linked operation "AccountDumpling" compromised over 30,000 Facebook accounts using Google AppSheet infrastructure Phishing emails bypassed authentication checks by originating from legitimate Google servers (noreply@appsheet.com and appsheet.bounces.google.com) Four distinct attack clusters employed different social engineering methods including fake help centers, incentive offers, interactive PDFs, and fake job recruitment Stolen data funneled through
May 23 min read
UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Distribute SNOW Malware
Key Findings UNC6692 is a previously undocumented threat group using Microsoft Teams to impersonate IT helpdesk staff and deploy custom SNOW malware Attack chain begins with email bombing campaigns followed by Teams-based social engineering to build false urgency Victims are tricked into clicking phishing links that download AutoHotkey scripts deploying SNOWBELT browser extension SNOW malware ecosystem is modular, including SNOWBELT backdoor, SNOWGLAZE tunneler, and SNOWBASIN
Apr 242 min read
AI-Powered Slopoly Malware Enables Hive0163's Advanced Ransomware Strategy
Key Findings Hive0163 uses AI-assisted Slopoly malware for persistent access in ransomware attacks PowerShell backdoor likely generated using a large language model (LLM) Malware maintains C2 access, collects system data, and executes remote commands Part of a broader attack framework involving NodeSnake and Interlock RAT Initial access achieved through social engineering and malvertising Background Hive0163 is a financially motivated threat actor specializing in post-comprom
Mar 132 min read
Defeating AI with AI
Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profile employees and craft tailored social engineering lures. However, AI can also be leveraged by defenders to turn the tables on threat actors and use their own tools against them. Background Threat actors are leveraging the advancements in AI, particularly generative AI and agentic
Feb 192 min read
Fintech Firm Figure Discloses Data Breach After Phishing Attack
Key Findings Blockchain-based lending firm Figure confirmed a data breach after an employee fell victim to a social engineering attack Hackers were able to access and steal a limited number of files, including personally identifiable information (PII) of Figure's customers The cybercrime group ShinyHunters claimed responsibility for the breach and released about 2.5GB of stolen data, which included names, addresses, birth dates, and phone numbers Figure has started notifying
Feb 142 min read
North Korea-Linked Kimsuky APT Group Responsible for Phishing Attacks, FBI Warns
Key Findings The FBI warns that the North Korea-linked advanced persistent threat (APT) group Kimsuky is targeting governments, think tanks, and academic institutions with "quishing" attacks. Quishing is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware. Kimsuky has conducted spear-phishing campaigns using QR codes that impersonate trusted figures like foreign advisors, embassy staff, and think tank em
Jan 112 min read
YouTube Ghost Network: Unraveling the GachiLoader Malware Hiding in Video Links
Key Findings: A massive network of compromised YouTube accounts is being weaponized to spread a sophisticated new threat, turning the popular video platform into a launchpad for data theft. The campaign, dubbed the "YouTube Ghost Network," leverages malicious videos promoting "cracked" software, trainers, or cheats to lure users into downloading a new, heavily obfuscated JavaScript malware loader called GachiLoader. GachiLoader is written in Node.js and deploys a second-stage
Dec 19, 20252 min read
bottom of page
