Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A malicious campaign using the domain 'telegrampremium[.]app' is distributing a new variant of Lumma Stealer malware. The fake site mimics the official Telegram Premium platform and automatically downloads an executable file 'start.exe' upon access. This sophisticated information-stealing trojan can exfiltrate browser credentials, cryptocurrency wallet details, and system information. The malware employs various techniques for persistence, defense evasion, and data theft, including file system manipulation, registry modification, and clipboard operations. The campaign highlights the ongoing use of brand impersonation and social engineering for large-scale malware distribution, emphasizing the need for robust security measures and user awareness.

This threat involves a malicious campaign leveraging a fake website impersonating the official Telegram Premium platform, hosted at the domain 'telegrampremium.app'. Upon visiting the site, users are subjected to a drive-by download of an executable file named 'start.exe', which is a new variant of the Lumma Stealer malware. Lumma Stealer is an information-stealing trojan designed primarily for Windows systems. This malware is capable of exfiltrating sensitive data such as browser credentials, cryptocurrency wallet information, and detailed system information. The malware employs multiple advanced techniques to maintain persistence on infected systems, evade detection, and facilitate data theft. These techniques include manipulation of the file system, modification of Windows registry keys, clipboard data interception, and potentially process injection or obfuscation methods as indicated by the MITRE ATT&CK tags (e.g., T1055 - Process Injection, T1027 - Obfuscated Files or Information). The campaign exploits brand impersonation and social engineering tactics to lure victims into downloading the malware, highlighting the ongoing threat posed by fake websites mimicking trusted brands. Indicators of compromise include multiple file hashes, suspicious domains, and an IP address linked to the campaign. Although no known exploits in the wild are reported, the malware’s capability to steal credentials and cryptocurrency wallets poses a significant risk to affected users and organizations. The campaign underscores the importance of vigilance against phishing and drive-by download attacks, especially those exploiting popular platforms like Telegram.

Detailed information about FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT. Get real-time updates, technical details, and mitigation strategies

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT - Live Threat Intelligence - Threat Radar | OffSeq.com

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

Bruce, the mechanical shark from Jaws, reflects on his role in the iconic film 50 years later. He shares insights on the challenges faced during filming due to unpredictable ocean conditions, drawing parallels to cybersecurity. Bruce emphasizes the importance of overpreparing, maintaining perspective, and having strong last-line defenses. The article then transitions to discussing Cisco Talos' enhanced email threat detection engine, addressing brand impersonation tactics using PDF payloads in phishing attacks. It highlights the increasing sophistication of these attacks and provides advice on staying vigilant against such threats.

The threat campaign titled "A message from the mechanical shark" highlights an evolving phishing attack technique that leverages brand impersonation through PDF payloads embedded in emails. This campaign, analyzed by AlienVault and Cisco Talos, underscores the increasing sophistication of email-based threats, particularly those that exploit trusted brand identities to deceive recipients. The attackers craft phishing emails that appear to come from legitimate sources, embedding malicious PDF files that contain payloads designed to compromise the target's system. These PDFs may exploit vulnerabilities or use social engineering tactics to trick users into enabling malicious content or executing harmful actions. The campaign references MITRE ATT&CK techniques such as T1192 (Spearphishing Attachment), T1566.001 and T1566.002 (Phishing via Spearphishing Link and Attachment), and T1078 (Valid Accounts), indicating that attackers may also attempt to leverage stolen credentials or valid accounts to increase the success rate of their attacks. Although no direct exploits or vulnerabilities are specified, the campaign's focus on brand impersonation and PDF payloads represents a significant threat vector, especially as phishing remains a primary initial access method for many threat actors. The campaign is currently assessed with medium severity and does not have known exploits in the wild, but the presence of multiple file hashes and a suspicious domain suggests active monitoring and detection efforts are underway. The threat intelligence encourages organizations to maintain strong email threat detection capabilities and to be vigilant against increasingly convincing phishing attempts that use sophisticated payload delivery mechanisms.

Detailed information about A message from the mechanical shark. Get real-time updates, technical details, and mitigation strategies.

A message from the mechanical shark - Live Threat Intelligence - Threat Radar | OffSeq.com

A message from the mechanical shark

A network of 71 purchase scam websites has been identified, linked to 12 shared merchant accounts used for fraudulent transactions. The scams employ brand impersonation, online ads, and malicious merchants to target victims. The network, operational since February 2025, uses typosquatting and brand logo abuse to impersonate legitimate retailers. Transactions with the identified merchant accounts are likely fraudulent and facilitate card compromise. The network's attribution remains unclear, possibly controlled by a single actor or multiple actors collaborating through dark web services. Mitigation strategies for card issuers and merchant acquirers are provided to reduce financial fraud and compliance risks associated with these scams.

This threat involves a coordinated network of 71 fraudulent purchase scam websites that have been active since February 2025. These sites leverage brand impersonation techniques, including typosquatting—registering domain names similar to legitimate retailers—and misuse of brand logos to deceive victims into believing they are interacting with trusted merchants. The scam network is supported by 12 shared merchant accounts that process transactions, which are likely fraudulent and facilitate card compromise and transaction laundering. Victims are targeted through online advertisements that direct them to these malicious sites, where they may unknowingly submit payment information. The network’s operational structure is unclear; it may be controlled by a single threat actor or multiple actors collaborating via dark web services. The campaign employs various tactics and techniques aligned with MITRE ATT&CK identifiers such as T1587.001 (Develop Capabilities), T1586.001 (Compromise Accounts), T1598.003 (Phishing for Information), and others related to command and control, execution, and credential access. Although no direct exploits or malware are involved, the threat exploits social engineering and fraudulent transaction mechanisms to achieve financial fraud. The compromised merchant accounts facilitate laundering of illicit transactions, increasing the risk for card issuers and merchant acquirers. This scam network poses a significant risk to consumers and financial institutions by enabling unauthorized card use and financial loss. Mitigation strategies focus on enhanced transaction monitoring, merchant account vetting, and consumer awareness to reduce fraud and compliance risks.

Detailed information about Brand impersonation, online ads, and malicious merchants help purchase scam network prey on victims. Get real-time updates, technical

Brand impersonation, online ads, and malicious merchants help purchase scam network prey on victims - Live Threat Intelligence - Threat Radar | OffSeq.com

Brand impersonation, online ads, and malicious merchants help purchase scam network prey on victims

A sophisticated phishing kit named CoGUI is targeting Japanese organizations with high-volume campaigns, primarily impersonating consumer and finance brands to steal credentials and payment data. The kit employs advanced evasion techniques like geofencing and fingerprinting to avoid detection. Since October 2024, CoGUI campaigns have sent millions of messages monthly, peaking at 172 million in January 2025. While mainly focused on Japan, some campaigns have targeted other countries. The kit shares similarities with Darcula, another phishing framework used by Chinese-speaking actors. CoGUI's activity aligns with recent warnings from Japanese financial authorities about increased phishing attacks leading to financial theft.

The CoGUI phishing kit is a sophisticated and high-volume phishing framework primarily targeting Japanese organizations, with campaigns sending millions of messages monthly since October 2024 and peaking at 172 million messages in January 2025. This phishing kit impersonates well-known consumer and financial brands to deceive victims into divulging sensitive credentials and payment information. CoGUI employs advanced evasion techniques such as geofencing and device fingerprinting to avoid detection and limit exposure to unintended regions, which complicates defensive efforts. The kit shares technical and operational similarities with the Darcula phishing framework, historically linked to Chinese-speaking threat actors, suggesting a possible shared development lineage or actor overlap. Although the primary focus is Japan, some campaigns have extended to other countries, indicating potential for broader geographic impact. The timing and scale of CoGUI campaigns coincide with warnings from Japanese financial authorities about rising phishing attacks resulting in financial theft, underscoring the kit's operational effectiveness and threat to financial sector security. No known exploits or patches exist, as this is a phishing kit rather than a software vulnerability, and it relies on social engineering rather than technical exploitation. The threat is classified as medium severity, reflecting its high volume and sophistication but limited primarily to phishing and credential theft without direct system compromise or malware payloads.

Detailed information about CoGUI Phish Kit Targets Japan with Millions of Messages. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'brand impersonation'

Filter Threats

Threats Tagged 'brand impersonation'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility