Campaigns Use AI Brands as Lures — Microsoft warned of campaigns capitalizing on the global interest around artificial intelligence (AI) as a social engineering lure in campaigns. "These campaigns, which don’t represent compromise of services, span phishing, malvertising, and search engine optimization (SEO)-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection," the company said. Some of the campaigns include a ChatGPT-themed lure that leads to a phishing kit collecting credit card data, a Claude-themed phishing campaign collecting credentials and access tokens, an "Awesome AI Windows Plugin" malvertising campaign deploying Vidar Stealer, and Fake DeepSeek V4 installers on GitHub delivering Vidar Stealer. The tech giant said it "observed the initial access broker Storm-3075 employing AI-themed malvertising to deliver payloads, including malware signed by the malware-signing-as-a-service (MSaaS) offering attributed to the financially motivated threat actor Fox Tempest, on behalf of multiple downstream actors." macOS Users Targeted by Fake Installers — Deceptive installers for popular software are being used to push information stealers to macOS users. "The infection chain almost always starts inside a web browser," Huntress said. "Threat actors lean heavily on search engine optimization (SEO) poisoning to hijack search results, or they seed compromised links across torrent networks and cracked software forums. A user drops their guard, clicks the malicious link, and downloads what they assume is an authentic installer." The DMG files, once executed, aim to bypass Apple Gatekeeper protections to realize their goals. In 2024, more than 65% of newly reported macOS malware was classified as infostealers. History of Chinese-Language Guarantee Marketplaces — Flare has shed light on the "guarantee model" that powers various illicit online Telegram marketplaces like HuiOne Guarantee and Tudou Guarantee. "These marketplaces are third-party escrow services for illicit transactions," security researcher Chris d'Eon explained. "The marketplace operator stands between buyer and seller, holds the buyer's funds in escrow, releases them to the seller only when the buyer confirms delivery, and adjudicates disputes when something goes wrong. In return, the operator collects deposits from vendors who want to advertise under its brand, fees on transactions, and revenue from paid promotional slots." The model, which has its roots in legitimate Chinese consumer-internet trust architecture launched by Alipay in 2003, facilitates the sale of money laundering services, stolen data, fraud kits, fake identity documents, recruitment for scam compounds, retail fraud, deepfake services, and the physical infrastructure that drives human trafficking and forced-labour compounds. Law enforcement crackdown has led to "fragmentation but not elimination" of the criminal enterprise. More than 30 successor marketplaces have emerged following the takedown of HuiOne and Xinbi, almost all of them managing their operations via Telegram owing to its reach, bot infrastructure, and improved resilience despite the platform's efforts to crack down on such activities. These include Tiancheng, Dabai, Ouyi, Yinuo, Jin Bo, Haihua, Timi, and Lao Niu. UniFi OS Flaws Exploited — The UniFi OS Server remote code execution chain, comprising CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, is now being actively exploited, according to Defused Cyber, following a report from Bishop Fox about how the three flaws could be combined to achieve unauthenticated code execution as root. The attacks culminated in the deployment of commodity malware. Khmer Shadow Targets Cambodian Government Entities — A targeted cyber espionage campaign against Cambodian government entities has leveraged a meeting-themed SFX archive to sideload a custom C++ loader dubbed NIGHTFORGE, which then decrypts and executes a Havoc Demon payload in memory. "NIGHTFORGE has demonstrated a moderate level of sophistication, combining advanced defense-evasion techniques such as NTDLL unhooking and Hell's Gate syscall resolution, a method that enables direct system calls and helps evade user-mode monitoring, with operational shortcomings that suggest the tool is still under active development," Acronis said. The activity has been attributed to any known threat group, but it's "likely aligned with regional intelligence collection interests in Southeast Asia." How Attackers Could Exploit Cloud Logging Services — Palo Alto Networks Unit 42 has warned that threat actors could exploit cloud logging services, which are crucial for security monitoring, to "create weak spots, evade detection, and in certain scenarios, establish continuous visibility within a target's environment." Attackers could tamper with resources within the cloud logging service (e.g., disabling, altering, or deleting logs, or even impairing logging) to hide their presence or attempt to route logs to their own accounts, establishing continuous visibility over the victim's environment, performing continuous discovery, and passively monitoring all activity. Operation TaxShadow Delivers Multi-Stage Malware Framework — An Indian tax-themed phishing campaign has been observed delivering a sophisticated multi-stage malware framework through a mix of social engineering, phishing infrastructure, and memory-resident malware execution techniques. "The campaign begins with a fraudulent tax notification email impersonating an official Indian tax authority, leveraging government branding, urgency-based messaging, and compliance-related threats to manipulate victims into interacting with a malicious phishing website," CYFIRMA said. "Victims are subsequently instructed to download a malicious ZIP archive containing three staged payload components: कर विवरण.exe, SbieDll.dll, and SbieDll.bin, which collectively establish the complete infection lifecycle." The attack makes use of a highly modular malware architecture, coupled with advanced defense-evasion and anti-analysis techniques, to launch a payload in memory. The malware also establishes persistent WebSocket-based communications. MagicAd Displays Background Ads on Android Devices — A new Android trojan called MagicAd has been found to bypass operating system restrictions to display background ads. "One of these methods is universal, while the others are designed for devices from specific manufacturers," Russian cybersecurity company Doctor Web said. "These include exploiting third-party software and using the system media player." The malware is distributed via apps on GetApps, the official app catalog for Xiaomi devices. It has been discovered in more than 50 games and apps. The campaign is assessed to have commenced in 2025, with the threat actors behind it also leveraging the Samsung Galaxy Store as a distribution mechanism. Currently, none of the apps are available for download. Residential Proxies in the Wild — Residential proxies are designed to relay internet traffic through devices that belong to regular consumers, such as home routers, mobile devices, IoT devices, and devices with applications embedded with proxyware. One way this is achieved is that application developers themselves can embed software development kits (SDKs) provided by the residential proxy networks into their products as a way to monetize their software, allowing them to receive a small amount of money on each installation. In an analysis published last week, Infoblox said monthly queries to residential proxy domains steadily grew from nearly 400 billion to over 500 billion between January 2025 and April 2026 across its customer base, an increase of about 25%. "There are likely several explanations for this: certainly, the rise in AI-related training, which often requires scraping websites, is a major driver of residential proxy demand," it said. "Residential proxies bypass many anti-scraping measures, as the traffic appears to be coming from the devices of real people." Some of the most commonly observed proxy services queried include Bright Data, Hola VPN, Oxylabs Proxy, Honeygain, and Grass. The DNS threat intelligence firm said many residential proxy services operate in a grey space. SHEET#CREEP Drops C# Remote Access Trojan — An ongoing cyber espionage campaign dubbed SHEET#CREEP has leveraged a diplomatic-themed ISO phishing lure to distribute a C# remote access trojan (RAT). The activity was previously flagged by Zscaler and Bitdefender, attributing it to a threat actor known as Transparent Tribe. "The RAT abuses the Google Sheets API as its command-and-control (C2) channel, authenticating via an embedded GCP service account private key and using individual spreadsheet tabs per victim for bidirectional communication," Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said. "The LNK triggers a C# dropper that extracts a bait PDF, drops the RAT payload into the Windows Vault directory, and establishes persistence through a scheduled task, before melting (self-deleting) to remove forensic traces." The cybersecurity company said it identified 91 active victim tabs in the C2 spreadsheet, including a high-confidence target located in Pakistan. Malware Distributed via npm and PyPI Packages — A cryptocurrency-focused software supply chain campaign has used malicious npm packages to facilitate credential harvesting, wallet theft, remote payload delivery, and blockchain-based command-and-control. "Technical analysis uncovered capabilities including cryptocurrency wallet interception, private key and mnemonic phrase theft, SSH credential harvesting, environment variable collection, sensitive file discovery, remote activation mechanisms, blockchain-based infrastructure retrieval, and multi-stage malware deployment," CYFIRMA said. A second campaign, codenamed Solana FakeFix, has targeted Solana developers with 20 bogus npm and PyPI packages to steal wallet keys, cloud credentials, source-control tokens, SSH keys, and environment secrets, while a third campaign, CMS Windows Loader, has used five npm packages to load remote executables and JavaScript code dynamically. In a related development, two versions of the dbmux npm package (2.2.5 and 1.0.5) were flagged for containing malware. "Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer," according to a GitHub advisory. "The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it." Ransomware Attack Uses Easyupload.io for Data Exfiltration — In one ransomware attack investigated by Huntress, a threat actor accessed the victim's hypervisor and created a new virtual machine (VM) as a staging location from which they launched the Akira ransomware. The threat actor rapidly progressed through the attack, disabling Microsoft Defender and installing WinRAR, an archival tool typically used by threat actors for staging data. "The threat actor used the Microsoft Edge browser to access Bing, and search for the term 'eayupload' before settling on Easyupload.io, a website that provides access to file uploads via drag-and-drop," the cybersecurity company said. "Shortly after accessing the LimeWire website, presumably to exfiltrate staged archives, the threat actor launched the akira.exe file encryptor against several mounted shares."
|
|
|
|
|
|
|
Threat of the Week
Top News
Trending CVEs
Expert Webinars
Around the Cyber World
Cybersecurity Tools
Comments
Post a Comment
Please leave a comment about our recent post.