Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

Check Point Research

Kaspersky Security Blog

CVE Database V5

Reddit NetSec

Reddit InfoSec News

AlienVault OTX General

SecurityWeek

SANS ISC Handlers Diary

Dark Reading

Threatpost

Exploit-DB RSS Feed

The Hacker News

CIRCL OSINT Feed

ThreatFox MISP Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The IUAM ClickFix Generator is a phishing kit that automates the creation of phishing pages mimicking browser verification challenges to bypass automated traffic blocks. It features advanced capabilities such as operating system detection and clipboard injection, facilitating cross-platform malware deployment with minimal effort. This kit is primarily used to deploy malware including info stealers and remote access trojans (RATs). Although no known exploits in the wild have been reported yet, the kit’s sophistication and automation increase the risk of widespread phishing campaigns. European organizations are at risk due to the kit’s ability to evade detection and target multiple operating systems. Mitigation requires enhanced phishing awareness, deployment of advanced email and web filtering, and monitoring for clipboard injection behaviors. Countries with high internet usage, significant financial sectors, and large enterprise environments such as Germany, the UK, France, and the Netherlands are more likely to be targeted. Given the potential for credential theft and remote access compromise without requiring user interaction beyond clicking, the threat severity is assessed as high. Defenders should prioritize detection of phishing pages mimicking IUAM challenges and monitor for indicators of clipboard injection and malware deployment.

The IUAM ClickFix Generator is a newly uncovered phishing kit designed to automate the creation of phishing pages that impersonate browser verification challenges, commonly used to block automated traffic such as bots. This deception technique, known as IUAM (I'm Under Attack Mode), is exploited to trick victims into believing they must complete a verification step, thereby increasing the likelihood of interaction. The kit supports advanced features including operating system detection, allowing it to tailor payloads or phishing content based on the victim’s platform, enhancing effectiveness across Windows, macOS, and potentially other systems. Clipboard injection is another sophisticated feature that enables the malware to silently insert malicious commands or data into the victim’s clipboard, facilitating stealthy malware deployment such as info stealers (e.g., DeerStealer) and remote access trojans (RATs). These capabilities reduce the effort required by attackers to conduct cross-platform attacks and increase the chances of successful infection. The phishing pages generated are highly customizable, enabling threat actors to adapt them to various targets and scenarios. Although no active exploits have been reported in the wild, the availability of such a kit lowers the barrier for attackers to launch phishing campaigns that can bypass automated defenses. The kit’s use of techniques mapped to MITRE ATT&CK tactics such as T1036 (Masquerading), T1102 (Web Service), T1059 (Command and Scripting Interpreter), T1055 (Process Injection), and T1115 (Clipboard Data) highlights its multi-faceted approach to evasion and infection. This threat represents a significant evolution in phishing toolkits by combining social engineering with technical evasion and malware delivery features.

CC=RU ASN=AS50340 ooo network of data-centers selectel

CC=BG ASN=AS8866 bulgarian telecommunications company plc.

MD5 of cd78a77d40682311fd30d74462fb3e614cbc4ea79c3c0894ba856a01557fd7c0

MD5 of 7765e5e0a7622ff69bd2cee0a75f2aae05643179b4dd333d0e75f98a42894065

MD5 of d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fba5f9ee8

MD5 of 029a5405bbb6e065c8422ecc0dea42bb2689781d03ef524d9374365ebb0542f9

MD5 of 397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc1516273

MD5 of 9090385242509a344efd734710e60a8f73719130176c726e58d32687b22067c8

MD5 of 081921671d15071723cfe979633a759a36d1d15411f0a6172719b521458a987d

MD5 of 3aee8ad1a30d09d7e40748fa36cd9f9429e698c28e2a1c3bcf88a062155eee8c

MD5 of 8ed8880f40a114f58425e0a806b7d35d96aa18b2be83dede63eff0644fd7937d

MD5 of ba5305e944d84874bde603bf38008675503244dc09071d19c8c22ded9d4f6db4

MD5 of 2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b

MD5 of 816bf9ef902251e7de73d57c4bf19a4de00311414a3e317472074ef05ab3d565

MD5 of 7881a60ee0ad02130f447822d89e09352b084f596ec43ead78b51e331175450f

MD5 of f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac

MD5 of 9c5920fa25239c0f116ce7818949ddce5fd2f31531786371541ccb4886c5aeb2

MD5 of 966108cf5f3e503672d90bca3df609f603bb023f1c51c14d06cc99d2ce40790c

MD5 of fe8b1b5b0ca9e7a95b33d3fcced833c1852c5a16662f71ddea41a97181532b14

MD5 of d375bb10adfd1057469682887ed0bc24b7414b7cec361031e0f8016049a143f9

MD5 of ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151

MD5 of 82b73222629ce27531f57bae6800831a169dff71849e1d7e790d9bd9eb6e9ee7

MD5 of 039f82e92c592f8c39b9314eac1b2d4475209a240a7ad052b730f9ba0849a54a

MD5 of 00c953a678c1aa115dbe344af18c2704e23b11e6c6968c46127dd3433ea73bf2

MD5 of 72633ddb45bfff1abeba3fc215077ba010ae233f8d0ceff88f7ac29c1c594ada

MD5 of d110059f5534360e58ff5f420851eb527c556badb8e5db87ddf52a42c1f1fe76

MD5 of 6e4119fe4c8cf837dac27e2948ce74dc7af3b9d4e1e4b28d22c4cf039e18b993

MD5 of 7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547ac40d5e1

SHA1 of 816bf9ef902251e7de73d57c4bf19a4de00311414a3e317472074ef05ab3d565

SHA1 of 7881a60ee0ad02130f447822d89e09352b084f596ec43ead78b51e331175450f

SHA1 of 9c5920fa25239c0f116ce7818949ddce5fd2f31531786371541ccb4886c5aeb2

SHA1 of 2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b

SHA1 of 081921671d15071723cfe979633a759a36d1d15411f0a6172719b521458a987d

SHA1 of fe8b1b5b0ca9e7a95b33d3fcced833c1852c5a16662f71ddea41a97181532b14

SHA1 of 72633ddb45bfff1abeba3fc215077ba010ae233f8d0ceff88f7ac29c1c594ada

SHA1 of 00c953a678c1aa115dbe344af18c2704e23b11e6c6968c46127dd3433ea73bf2

SHA1 of 966108cf5f3e503672d90bca3df609f603bb023f1c51c14d06cc99d2ce40790c

SHA1 of d110059f5534360e58ff5f420851eb527c556badb8e5db87ddf52a42c1f1fe76

SHA1 of f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac

SHA1 of 3aee8ad1a30d09d7e40748fa36cd9f9429e698c28e2a1c3bcf88a062155eee8c

SHA1 of 397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc1516273

SHA1 of 029a5405bbb6e065c8422ecc0dea42bb2689781d03ef524d9374365ebb0542f9

SHA1 of 6e4119fe4c8cf837dac27e2948ce74dc7af3b9d4e1e4b28d22c4cf039e18b993

SHA1 of cd78a77d40682311fd30d74462fb3e614cbc4ea79c3c0894ba856a01557fd7c0

SHA1 of 7765e5e0a7622ff69bd2cee0a75f2aae05643179b4dd333d0e75f98a42894065

SHA1 of 82b73222629ce27531f57bae6800831a169dff71849e1d7e790d9bd9eb6e9ee7

SHA1 of d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fba5f9ee8

SHA1 of 039f82e92c592f8c39b9314eac1b2d4475209a240a7ad052b730f9ba0849a54a

SHA1 of ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151

SHA1 of 8ed8880f40a114f58425e0a806b7d35d96aa18b2be83dede63eff0644fd7937d

SHA1 of ba5305e944d84874bde603bf38008675503244dc09071d19c8c22ded9d4f6db4

SHA1 of 9090385242509a344efd734710e60a8f73719130176c726e58d32687b22067c8

SHA1 of 7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547ac40d5e1

SHA1 of d375bb10adfd1057469682887ed0bc24b7414b7cec361031e0f8016049a143f9

CC=AT ASN=AS60781 leaseweb netherlands b.v.

CC=US ASN=AS207710 sia singularity telecom

Detailed information about The ClickFix Factory: First Exposure of IUAM ClickFix Generator. Get real-time updates, technical details, and mitigation strategies.

The ClickFix Factory: First Exposure of IUAM ClickFix Generator - Live Threat Intelligence - Threat Radar | OffSeq.com

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

A new Android Trojan named Datzbro has been discovered targeting seniors through fake Facebook groups promoting travel and social activities. The malware, which combines spyware and banking Trojan capabilities, is distributed via malicious APKs disguised as community apps. Datzbro features remote access, screen sharing, black overlay attacks, and keylogging, allowing attackers to perform financial fraud. It specifically targets banking and crypto-related apps, stealing credentials and sensitive information. The malware's origin appears to be Chinese-speaking developers, and its command-and-control application has been leaked, potentially making it a global threat. The campaign demonstrates the evolving sophistication of mobile threats, blending social engineering with advanced technical capabilities.

Datzbro is a newly identified Android Trojan that targets senior citizens by exploiting social engineering tactics through fake Facebook groups that promote travel and social activities. The malware is distributed via malicious APK files masquerading as legitimate community or social apps, which entices the target demographic to install them. Technically, Datzbro combines features of spyware and banking Trojans, enabling attackers to remotely access infected devices, capture screen content, perform black overlay attacks to deceive users, and log keystrokes. These capabilities allow attackers to steal sensitive information such as banking credentials and cryptocurrency wallet details. The malware specifically targets banking and crypto-related applications, facilitating financial fraud and theft. The origin of Datzbro appears to be Chinese-speaking developers, and notably, the command-and-control (C2) application used to manage infected devices has been leaked publicly, increasing the risk of widespread exploitation by multiple threat actors globally. This campaign exemplifies the increasing sophistication of mobile malware, blending advanced technical features with targeted social engineering to exploit a vulnerable population segment. While no CVE or known exploits in the wild have been reported yet, the combination of remote access, credential theft, and social engineering makes Datzbro a significant threat to Android users, especially seniors who may be less aware of such risks.

Detailed information about Datzbro: RAT Hiding Behind Senior Travel Scams. Get real-time updates, technical details, and mitigation strategies.

Datzbro: RAT Hiding Behind Senior Travel Scams - Live Threat Intelligence - Threat Radar | OffSeq.com

Datzbro: RAT Hiding Behind Senior Travel Scams

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techniques like fake job offers and the ClickFix method to deliver malware. Their toolset includes multiplatform malware such as BeaverTail, InvisibleFerret, WeaselStore, and TsunamiKit. The group shows links to other North Korean cyber operations through shared malware like Tropidoor and AkdoorTea. The analysis also explores the activities of North Korean IT workers, who use stolen identities and AI-generated content to secure remote jobs, highlighting the interconnected nature of these cyber threats.

The threat campaign attributed to the North Korea-aligned threat actor group known as DeceptiveDevelopment represents a sophisticated and evolving cyber espionage and theft operation targeting software developers, particularly those involved in cryptocurrency and Web3 projects. This group employs advanced social engineering tactics, including fake job offers and the ClickFix method, to trick victims into executing malware. Their malware toolset is diverse and multiplatform, comprising BeaverTail, InvisibleFerret, WeaselStore, and TsunamiKit, which enable remote access, information theft, and persistence on victim systems. The campaign also reveals operational links to other North Korean cyber operations through shared malware families such as Tropidoor and AkdoorTea, indicating a coordinated and resourceful adversary. Notably, the group leverages AI-generated content and stolen identities to infiltrate remote work environments, exploiting the growing trend of remote employment to gain footholds in target organizations. The campaign’s indicators include multiple IP addresses and a .onion domain, suggesting the use of anonymized infrastructure for command and control. The tactics, techniques, and procedures (TTPs) align with MITRE ATT&CK techniques such as credential dumping (T1056.001), user execution via social engineering (T1204.002, T1566.001, T1566.002), masquerading (T1036), process injection (T1055), and remote access (T1078), among others. This campaign highlights the increasing sophistication of North Korean cyber operations, combining traditional crypto theft with AI-based deception to evade detection and maximize impact.

Detailed information about From primitive crypto theft to sophisticated AI-based deception. Get real-time updates, technical details, and mitigation strategies.

From primitive crypto theft to sophisticated AI-based deception - Live Threat Intelligence - Threat Radar | OffSeq.com

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

A sophisticated phishing campaign targeting Japanese users employs MostereRAT, a Remote Access Trojan that utilizes advanced evasion techniques. The attack chain involves multiple stages, including an Easy Programming Language (EPL) payload, security tool disabling, and mTLS-secured C2 communications. The malware can deploy popular remote access tools like AnyDesk and TightVNC, granting attackers full system control. It employs techniques such as running as TrustedInstaller, blocking AV traffic, and creating hidden administrator accounts. The campaign's complexity and use of legitimate tools make detection and prevention challenging, highlighting the importance of user education and up-to-date security solutions.

MostereRAT is a sophisticated Remote Access Trojan (RAT) actively deployed via a targeted phishing campaign primarily affecting Japanese users. The attack chain is multi-staged and complex, beginning with the delivery of an Easy Programming Language (EPL) payload, which is a less common scripting language that helps evade traditional detection mechanisms. Once executed, the malware employs advanced evasion techniques such as running with the TrustedInstaller account privileges, which is the highest Windows system privilege, allowing it to bypass many security controls and maintain persistence. It also disables security tools and blocks antivirus traffic, further complicating detection and mitigation efforts. Communication with its command and control (C2) servers is secured using mutual TLS (mTLS), ensuring encrypted and authenticated data exchange that hinders network-based detection. MostereRAT can deploy legitimate remote access tools like AnyDesk and TightVNC, which are commonly used for remote support but here are weaponized to grant attackers covert full system control. Additional tactics include creating hidden administrator accounts and using various Windows persistence and execution techniques (such as T1113, T1543, T1053, T1562, T1219, T1055, T1218, T1112, T1059, T1566, T1574, T1027, T1546, T1573, T1056, T1588, T1134, T1136) to maintain long-term access and evade detection. The use of legitimate tools and high privilege escalation makes this threat particularly stealthy and difficult to detect using conventional endpoint detection and response (EDR) solutions. The campaign’s complexity and the use of phishing as the initial infection vector highlight the critical importance of user awareness and robust email security controls.

Detailed information about MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access. Get real-time updates, technical details, and mitigation strategies.

MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access - Live Threat Intelligence - Threat Radar | OffSeq.com

MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access

A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.

The UNC Cluster represents a persistent threat actor group identified as a South Asian Advanced Persistent Threat (APT) targeting primarily military personnel in South Asian countries including Sri Lanka, Bangladesh, Pakistan, and Turkey. The group employs sophisticated phishing campaigns leveraging military-themed lures to compromise mobile devices, particularly Android phones. The attack vectors include PDF phishing documents and fake login pages impersonating government and military organizations, designed to deceive victims into divulging credentials or installing malicious applications. The Android malware used is based on the Rafel RAT (Remote Access Trojan), which enables attackers to steal sensitive information such as SMS messages, contact lists, and documents, and maintain persistent remote access to compromised devices. In addition to Android malware, the threat actor also deploys Windows malware that shares the same command and control (C2) infrastructure, indicating a coordinated multi-platform campaign. The phishing techniques correspond to MITRE ATT&CK techniques T1566 (Phishing), T1566.001 (Spearphishing Attachment), and T1566.002 (Spearphishing Link). Although no known exploits are reported in the wild, the operation's use of credential theft and information stealing malware poses significant risks to confidentiality and operational security of targeted military personnel. The campaign's focus on military-themed lures and targeting of military personnel suggests a strategic intelligence-gathering objective, consistent with APT behavior. The lack of affected software versions and patch links indicates this is a social engineering and malware-based threat rather than a software vulnerability exploitation. The threat is assessed as medium severity based on the information provided.

Detailed information about UNC Cluster Targeting South Asian Countries. Get real-time updates, technical details, and mitigation strategies.

UNC Cluster Targeting South Asian Countries - Live Threat Intelligence - Threat Radar | OffSeq.com

UNC Cluster Targeting South Asian Countries

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

This threat involves a sophisticated attack campaign leveraging compromised WordPress websites to distribute a malicious variant of the NetSupport Manager Remote Access Tool (RAT). The attackers initiate the infection chain through phishing campaigns that lure victims to compromised WordPress sites. These sites have been manipulated using Document Object Model (DOM) techniques and injected JavaScript files to evade detection and present a fake CAPTCHA page, increasing the likelihood of user interaction and trust. Upon interaction, a batch file is downloaded and executed on the victim's machine, which subsequently downloads and runs the NetSupport Client component. NetSupport Manager is a legitimate remote administration tool often used for remote support, but in this context, it is weaponized as a RAT to provide attackers with persistent remote access. Post-infection, the attackers exploit NetSupport's built-in capabilities for reconnaissance, lateral movement, and further exploitation within the victim environment. The attack infrastructure is linked to multiple IP addresses and domains, many associated with hosting providers in Moldova, indicating a geographically clustered command and control setup. The use of compromised WordPress sites and phishing campaigns highlights a multi-stage attack vector combining social engineering, web compromise, and malware deployment. The threat actors employ advanced evasion techniques such as DOM manipulation and multiple JavaScript payloads to avoid detection by security tools. Although no specific CVE or known exploits in the wild are reported, the attack leverages common tactics, techniques, and procedures (TTPs) including phishing (T1566), execution through batch files (T1059.003), remote access (T1021.001), persistence (T1547.001), and reconnaissance (T1082, T1016). The medium severity rating reflects the complexity and potential impact of the attack, though it requires user interaction and initial phishing success to propagate.

Detailed information about Deploying NetSupport RAT via WordPress & ClickFix. Get real-time updates, technical details, and mitigation strategies.

Deploying NetSupport RAT via WordPress & ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Deploying NetSupport RAT via WordPress & ClickFix

A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disguised executable. Once executed, the malware installs and connects to a LogMeIn server, allowing remote access and control of the compromised machine. Over 28 distinct campaigns targeting more than 1,271 users have been observed in the past two months. The technique's effectiveness stems from the use of a legitimate platform, a genuine remote access tool, and social engineering tactics. Recommendations include monitoring suspicious Vercel subdomains, educating employees about fake support scams, and implementing strict controls for remote access software installations.

This threat involves a sophisticated phishing campaign leveraging the legitimate frontend hosting platform Vercel to distribute a malicious variant of the remote access tool LogMeIn. Attackers send phishing emails containing links to malicious pages hosted on Vercel, which impersonate an Adobe PDF viewer interface to deceive users. The malicious page prompts users to download an executable disguised as a legitimate file. Upon execution, the malware installs itself and establishes a connection to a LogMeIn server controlled by the attacker, granting remote access and control over the compromised system. This campaign has been active for at least two months, with over 28 distinct campaigns targeting more than 1,271 users. The attack's success is attributed to the abuse of a trusted platform (Vercel), use of a genuine remote access tool (LogMeIn), and effective social engineering tactics such as impersonation of common software and fake support scams. Indicators of compromise include multiple file hashes and suspicious domains. The campaign techniques align with MITRE ATT&CK tactics such as T1566 (phishing), T1204 (user execution), T1219 (remote access software), T1036 (masquerading), and T1105 (remote file copy). No known exploits or threat actors have been identified, and no CVSS score is assigned. The threat is rated medium severity due to its reliance on user interaction and social engineering, but it poses significant risk due to the potential for unauthorized remote access and control.

Detailed information about Cybercriminals Abusing Vercel to Deliver Remote Access Malware. Get real-time updates, technical details, and mitigation strategies.

Cybercriminals Abusing Vercel to Deliver Remote Access Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promising cutting-edge content generation in exchange for user uploads.

The Noodlophile stealer is a newly identified malware strain that leverages the growing popularity of AI-powered content creation tools to distribute itself. Cybercriminals have created fake AI video generation platforms that promise users advanced content generation capabilities, such as transforming photos into videos or generating art and music. These platforms act as lures to entice users into uploading files or interacting with malicious content. Once engaged, the malware deploys an infostealer component designed to harvest sensitive information, including credentials, from the victim's system. The malware exhibits worm-like propagation capabilities, potentially spreading across networks or devices without user intervention. It also incorporates remote access functionalities, allowing attackers to maintain persistence and control over compromised systems. The infection vector often involves social engineering tactics, such as delivering malicious Word documents or leveraging popular social media platforms like Facebook to distribute payloads. The malware is implemented in Python and uses various techniques to evade detection, including process injection (T1055) and masquerading (T1036). Network communication is established covertly to exfiltrate stolen data (T1041), and the malware may abuse system services (T1503) and credentials stored in browsers or other applications (T1539). Although no known exploits are currently reported in the wild, the threat is active and evolving, targeting users attracted by AI content creation trends. The medium severity rating reflects the malware's capability to compromise confidentiality and integrity, combined with moderate ease of exploitation through social engineering and fake platforms.

MD5 of 18c14dcfb9a54c5359026a5fcbdb3e4ba6ced2628a9cd9ae589baedbb29beaa6

SHA1 of 18c14dcfb9a54c5359026a5fcbdb3e4ba6ced2628a9cd9ae589baedbb29beaa6

Detailed information about New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms. Get real-time updates, technical details, and mitigation 

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms - Live Threat Intelligence - Threat Radar | OffSeq.com

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF file, users are presented with two hyperlinks: 'Preview' leads to a fake Microsoft login page for credential theft, while 'Download' initiates the installation of ConnectWise RAT malware. The malware establishes persistence through system services and registry modifications. This dual-threat approach emphasizes the need for user vigilance and education in recognizing phishing attempts and suspicious emails.

The identified threat, termed 'Pick your Poison - A Double-Edged Email Attack,' is a sophisticated phishing and malware campaign targeting Office365 users. Attackers leverage social engineering by sending emails that use a plausible pretext—a file deletion reminder—and exploit a legitimate file-sharing service to increase credibility and bypass initial suspicion. The email contains a shared PDF file with two embedded hyperlinks: 'Preview' and 'Download.' The 'Preview' link directs victims to a counterfeit Microsoft login page designed to harvest Office365 credentials, enabling attackers to gain unauthorized access to corporate email and cloud resources. The 'Download' link initiates the installation of the ConnectWise Remote Access Trojan (RAT), a malware known for establishing persistence on infected systems through system services and registry modifications (techniques T1543 and T1547). This RAT allows attackers remote control capabilities, potentially enabling data exfiltration, lateral movement, and further compromise. The campaign combines multiple attack techniques, including phishing (T1566), credential theft (T1078), obfuscation (T1027), and execution of malicious code (T1059), highlighting a multi-faceted approach to compromise. The use of a legitimate file-sharing service and a realistic scenario increases the likelihood of user interaction, making this attack particularly dangerous. The absence of known exploits in the wild suggests this is a relatively new or targeted campaign, but the medium severity rating underscores the significant risk posed by credential theft combined with malware infection.

Detailed information about Pick your Poison - A Double-Edged Email Attack. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'remote access'

Filter Threats

Scan a website for live threats in under a minute

Threats Tagged 'remote access'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility