Threats Tagged 'phishing campaign'

In early May 2026, Instructure confirmed a breach affecting its Canvas learning platform after detecting unauthorized activity on May 1. ShinyHunters exploited the Free-For-Teacher account program, compromising the Canvas platform directly and exposing names, email addresses, student IDs, and private messages. The exposure window ran from April 30 to May 7, 2026. ShinyHunters claims 3.6 TB of data covering approximately 275 million users across 9,000 schools globally, including institutions in the US, Australia, and EU. This represents ShinyHunters' second attack against Instructure in eight months. Instructure shut down the Free-For-Teacher program permanently, rotated API keys and privileged credentials, and engaged forensic investigators. The stolen data enables personalized phishing campaigns targeting students and faculty, with attackers potentially having write access sufficient to deface login pages at multiple institutions.

A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.

MediumPhishingUnited States#aitm#financial services#credential theft

A consumer-targeted credential theft operation uses DHL brand impersonation combined with a fake OTP verification mechanism to harvest passwords from victims. The attack employs an 11-step chain beginning with spoofed shipment notification emails, leading victims through a client-side generated OTP page that creates false trust, then directing them to a DHL-branded credential harvesting portal. The kit captures passwords alongside victim telemetry including IP address, device details, browser fingerprinting, and geolocation data. Exfiltration occurs through EmailJS, a legitimate client-side email service, sending stolen credentials to an attacker-controlled Tutamail address. The campaign concludes by redirecting victims to the legitimate DHL website to avoid suspicion, demonstrating how familiar workflows and brand trust can be weaponized without technical sophistication.

Investigation reveals widespread abuse of n8n, an AI workflow automation platform, in sophisticated phishing campaigns from October 2025 through March 2026. Attackers exploit the platform's webhook functionality to deliver malware and fingerprint devices while bypassing security filters through trusted infrastructure. Email volume containing n8n webhook URLs increased by 686% between January 2025 and March 2026. Observed campaigns utilize CAPTCHA-protected pages to deliver remote access tools including modified Datto RMM and ITarian Endpoint Management software. The webhooks mask malicious payload sources behind legitimate n8n domains. Additional abuse cases involve tracking pixels embedded in emails for device fingerprinting. These attacks demonstrate how legitimate productivity and automation platforms can be weaponized, requiring behavioral detection approaches rather than simple domain blocking to protect organizational workflows.

A sophisticated phishing campaign is targeting YouTube creators using convincing fake copyright strike notifications. The attack dynamically pulls real channel data including profile pictures, subscriber counts, and recent videos to create personalized scare pages. Victims are funneled through a Browser-in-the-Browser attack displaying a fake Google sign-in that captures credentials. The operation functions as phishing-as-a-service, with multiple attackers sharing infrastructure and rotating domains to evade detection. Successful attacks result in complete Google account takeover, allowing hijackers to rebrand channels and livestream cryptocurrency scams to existing audiences. The kit automatically exempts channels with over three million subscribers to avoid detection by security teams.

A threat cluster has been identified leveraging a customized Adwind (Java RAT) variant with polymorphic characteristics to deliver JanaWare ransomware. The campaign specifically targets Turkish users through geofencing mechanisms that check system locale and external IP geolocation. Active since at least 2020, the operation primarily affects home users and small to medium-sized businesses. Initial access occurs via phishing emails with malicious Java archives distributed through Google Drive links. The ransomware employs AES encryption and communicates over Tor networks, demanding modest ransoms between $200-$400. The malware uses multiple obfuscation techniques including Stringer and Allatori obfuscators, implements file pumping for polymorphism, and disables Windows security features before encryption. Victims are instructed to contact attackers through qTox or dedicated Tor onion sites.

MediumMalwareTurkey#adwind#phishing campaign#janaware