Threats Tagged 'impersonation'

The GlassWorm campaign targeting Open VSX has escalated with 73 newly identified impersonation extensions. These sleeper extensions were initially published without malicious payloads by newly created GitHub accounts, appearing benign to build trust and credibility. At least six extensions have been activated to deliver malware through normal update mechanisms. The extensions clone popular legitimate listings with similar branding, icons, and descriptions, making detection difficult. The threat actor has shifted delivery methods away from embedded loaders toward transitive delivery via extension dependencies, external payload retrieval from GitHub-hosted VSIX files, and native binary execution. Some variants use obfuscated JavaScript to decode and retrieve payloads at runtime. The malicious code targets multiple IDEs including VS Code, Cursor, Windsurf, and VSCodium, installing downloaded extensions through command-line interfaces.

A fake website impersonating Avast antivirus is tricking users into infecting their computers with Venom Stealer malware. The site runs a fake virus scan, claims to find threats, and prompts users to download a malicious file disguised as a system cleaner. The malware, identified as part of the Venom Stealer family, steals browser credentials, session cookies, cryptocurrency wallets, and other sensitive data. It uses evasion techniques like direct system calls and debugger checks to avoid detection. The stolen information is exfiltrated to a command-and-control server disguised as an analytics service. This campaign demonstrates a classic scare-and-fix scam, exploiting users' trust in reputable security brands to deliver malware.

An investigation has uncovered malicious Chromium-based browser extensions masquerading as legitimate AI assistant tools to collect Large Language Model (LLM) chat histories and browsing data. These extensions have been installed approximately 900,000 times, affecting over 20,000 enterprise tenants. The malicious extensions collect full URLs and AI chat content from platforms like ChatGPT and DeepSeek, potentially exposing organizations to leaks of confidential information. The attack chain involves reconnaissance, weaponization, delivery through trusted app stores, exploitation of user trust, installation for persistence, and regular data exfiltration to attacker-controlled infrastructure. This activity transforms a seemingly benign productivity tool into a persistent data collection mechanism embedded in daily enterprise browser usage.

MediumCampaignUnited StatesUnited KingdomGermany+7#chrome web store#browser extension#enterprise security

Felix Markets is a fraudulent forex broker platform engaging in reputation laundering by presenting false regulatory credentials and leveraging sports sponsorship to appear legitimate. It impersonates other companies, repackages authentic legal documents, and falsely claims regulatory ties to Australia, the UK, and Comoros. The platform sponsors the Spanish football team Levante U. D. for the 2025-26 season to enhance its perceived legitimacy. Hosting and metadata suggest possible Turkish involvement, while the scam exploits the identity of a legitimate Australian company. This campaign exemplifies sophisticated regulatory fraud and reputation laundering tactics in investment scams, posing risks to investors and financial institutions. European organizations should exercise heightened due diligence, especially in sectors vulnerable to such deceptive legitimacy claims. The threat is assessed as medium severity due to its potential financial impact and moderate ease of exploitation without direct technical system compromise. Spain is notably affected given the sponsorship link and geographic focus.

MediumCampaignSpainUnited KingdomAustralia#impersonation#fake financial authority#reputation laundering

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files via ActiveX. This method leads to silent payload downloads and ransomware deployment. The campaign uses a Clickfix-themed malware delivery site, urging victims to visit a secondary page where malicious shell commands are executed. The attackers also impersonate various streaming services and use romance-themed lures. Epsilon Red, first observed in 2021, shows some similarities to REvil ransomware in its ransom note styling but appears distinct in its tactics and infrastructure.

MediumMalwareGermanyUnited KingdomFrance+4#drive-by download#activex#social engineering

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact victims offering to pay them to test software, which is actually malware designed to steal crypto wallet contents. The campaign uses both Windows and macOS malware, including information stealers like Atomic Stealer. The threat actors go to great lengths to appear legitimate, even creating fake conference photos and merchandise stores. Multiple fake company identities have been identified as part of this campaign.

MediumMalwareUnited KingdomGermanyFrance+4#impersonation#social engineering#malware

A sophisticated phishing campaign impersonating U.S. state Departments of Motor Vehicles emerged in May 2025, using SMS phishing and deceptive websites to harvest personal and financial data. Victims received messages about unpaid toll violations, directing them to fake DMV sites requesting extensive information. Technical analysis revealed shared infrastructure, consistent domain naming, and indicators of a China-based threat actor. The campaign used spoofed SMS numbers, often from the Philippines, and email addresses from obscure domains. Phishing websites followed a pattern using state IDs and specific TLDs. Infrastructure analysis showed connections to known malicious IP addresses and Chinese DNS providers. The campaign's widespread impact prompted alerts from multiple states and federal authorities.

MediumCampaignUnited KingdomGermanyFrance+3#infrastructure-analysis#data-harvesting#smishing

APT36, also known as Transparent Tribe, has been observed using VPS provider Contabo to host malicious infrastructure for CapraRAT and Crimson RAT. Their latest tactic involves disguising spyware as the popular messaging app Viber, granting extensive permissions to record calls, read messages, and track location. The investigation traced the infrastructure, identified key Indicators of Compromise, and uncovered the full extent of this Android surveillance campaign. The threat actor employs social engineering tactics to distribute their Android Remote Access Trojans, with lures crafted to align with the RAT's disguise. The malware's capabilities include targeted surveillance, credential theft, and infrastructure abuse, potentially eroding brand trust in legitimate communication platforms.

MediumMalwareGermanyFranceItaly+4#impersonation#android#contabo