Threats Tagged 'social engineering'

This is a sophisticated phishing campaign known as the evolution of "ClickFix" that uses social engineering and victim-assisted execution to bypass endpoint security. Attackers send emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack employs LNK shortcuts redirecting victims to landing pages that silently inject PowerShell commands into the clipboard. Victims are tricked into manually executing these commands via Win+R, circumventing traditional security filters. The campaign uses DNS TXT records for payload staging to avoid HTTP detection and includes multiple malicious components such as obfuscated scripts, fake MSI installers masquerading as legitimate software, and spyware-laden ISO images for persistent access. This campaign represents a shift toward long-term post-compromise control of the environment.

An active malware campaign has been discovered distributing malicious VBScript files through WhatsApp direct messages since June 2026. The operation affects users across multiple countries, with Malaysia experiencing the highest concentration of victims. Attackers compromise WhatsApp accounts and send weaponized VBS files disguised as business and financial documents to contacts. The multi-stage infection chain ultimately deploys legitimate ManageEngine Endpoint Central RMM software, providing persistent remote access to compromised systems. The scripts employ heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT operations suggest possible Chinese-speaking operators, though attribution remains uncertain. The campaign primarily targets individual users through opportunistic rather than focused methods, exploiting social engineering techniques with localized filenames in multiple languages.

MediumMalwareAustraliaBrazilBritish Indian Ocean Territory+7#uac bypass#valleyrat#gh0st rat

Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.

MediumMalwareBritish Indian Ocean TerritoryFranceHong Kong+6#gitlab pages abuse#macsync#ai impersonation

Lookalike attacks exploit human cognitive shortcuts rather than technical vulnerabilities, designing domain names that resemble legitimate services to bypass security controls. These attacks leverage predictable patterns in how people read and process text, using techniques including homographs, typosquatting, domain embedding, and keyword association. The domain name itself embeds targeting intent, making attacks visible in DNS infrastructure before malicious activity occurs. Attackers face deliberate tradeoffs between plausibility and uniqueness, often maintaining domains in dormant states between campaigns to evade takedown. DNS provides early structural signals about attacker intent and brand targeting, though ambiguity remains inherent as legitimate services often exhibit similar patterns. Effective detection requires separating targets from imposters and understanding that domain-based analysis surfaces risk rather than definitive verdicts.

Multiple phishing campaigns are exploiting the FIFA World Cup 2026 event to target mobile users globally. These campaigns use typosquatting, institutional spoofing, and impersonation of major sports retailers to harvest credentials. A sophisticated recruitment fraud campaign also targets corporate Google Workspace accounts with an Adversary-in-the-Middle platform capable of bypassing MFA. Attack vectors include SMS, WhatsApp, and search engines, leveraging emotional urgency and ticket scarcity. This creates risks for enterprises as employees may access work resources via compromised personal devices.

Threat actors are leveraging TikTok and Instagram Reels to distribute the Vidar infostealer through fake software tutorials. Two distinct campaigns use short-form videos disguised as tutorials for unlocking premium software like Spotify. The first campaign uses accounts mimicking official Windows profiles with AI-voiced clips instructing users to run PowerShell commands that download Vidar from lookalike domains. One video achieved over 100,000 views. The second campaign uses ordinary accounts posting music-backed clips that bait users in comments to receive malicious links via direct message. These campaigns exploit platform recommendation algorithms by encouraging saves and shares. Vidar is sold as a service for $300 lifetime license and harvests credentials, financial data and authentication tokens.

US Federal authorities have seized 13 domains allegedly used in a Chinese intelligence-linked operation to recruit Americans with access to classified government information. The websites posed as legitimate consulting firms, offering vague consultancy and advisory roles to current and former US government employees, military personnel, and security clearance holders. The operation, which began in November 2023, used fake company websites, online job postings, and social media recruiting to approach potential targets. Recruiters offered paid consulting work, then pressured candidates to share confidential insider information. The campaign employed false personas, stolen identities, AI-generated profile photos, encrypted messaging, cryptocurrency, and fake contracts to appear legitimate. Job postings appeared on platforms including Upwork, Expertia AI, and Hubstaff Talent, covering topics aligned with Chinese government interests.

MediumCampaignUnited States#job platforms#security clearance#recruitment operation

Threat actors are increasingly leveraging the global interest in artificial intelligence by impersonating popular AI platforms such as ChatGPT, Copilot, DeepSeek, and Claude in social engineering campaigns. These operations span phishing attacks, malvertising, and search engine optimization-driven tactics that ultimately lead to credential theft, financial fraud, or malware infections. Observed campaigns include ChatGPT-themed phishing collecting credit card data targeting South Africa, Claude-themed adversary-in-the-middle attacks harvesting credentials and access tokens, malvertising campaigns distributing Vidar stealer through fake AI plugin downloads, and fraudulent DeepSeek V4 installers on GitHub. The initial access broker Storm-3075 has been identified employing AI-themed malvertising, while the financially motivated actor Fox Tempest provides malware-signing-as-a-service to enhance payload legitimacy. These campaigns combine traditional social engineering tactics with AI branding to improve success...

WhatsApp successfully identified and disrupted spear phishing attempts linked to NSO Group, a spyware firm blacklisted by the US government. The company is requesting the court to hold NSO in contempt for violating a permanent injunction that prohibited them from targeting WhatsApp and its users. The attacks involved social engineering attempts to trick users into clicking malicious links, as well as creating test accounts and groups on the platform. WhatsApp emphasizes that spyware represents a national security threat and is supporting the Spyware Accountability Initiative through significant contributions. The company continues to protect users through end-to-end encryption and encourages reporting suspicious activity while maintaining updated applications and devices.

A new extortion group called Pink, tracked as cluster CL-CRI-1147, employs voice phishing and fake IT helpdesk impersonation to compromise organizations. The gang steals employee credentials, bypasses multi-factor authentication, and exfiltrates data from cloud storage platforms like SharePoint and OneDrive. Pink threatens to leak stolen information unless ransom demands are met, setting 72-hour deadlines. The group's data-leak site launched on May 31, 2026. This approach mirrors tactics popularized by Lapsus$, Scattered Spider, and ShinyHunters. Incident responders link Pink to The Com, a loosely connected network of English-speaking hackers and extortionists. Attackers use compromised victim accounts and internal Teams messages for extortion communications, reusing domains across multiple targets.