Threats Tagged 't1185'

In March 2026, threat actors used AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign used ClickFix techniques with fake CAPTCHA and BSOD screens to trick victims into running malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan capable of encrypted command-and-control communications, remote control of user input devices, credential theft via keylogging and banking overlays, and QR code interception for transaction fraud. The malware persists through scheduled tasks and Windows services. The campaign targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The attackers' command-and-control panel had critical authentication flaws allowing client-side bypass, indicating poor security review before deployment.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

A coordinated supply chain attack compromised over 140 Mastra npm packages by injecting a typosquatted dependency named easy-day-js. The malicious code executes during npm install via a postinstall hook, deploying a two-stage payload that disables TLS validation and installs a cross-platform implant on Windows, macOS, and Linux. This implant acts as a command-and-control client capable of stealing cryptocurrency wallet data from over 166 browser extensions, harvesting browser history, and executing arbitrary code. The attack affects popular packages including @mastra/core, which has high weekly downloads, compromising developer systems during package installation.

An FBI investigation identified Denis Nikolayevich Obrezko, a Russian national, as facilitating cyber intrusions conducted by the Russia-aligned threat group Void Blizzard. Between June and July 2024, multiple U.S. companies across various sectors were targeted in a large-scale cyber espionage campaign involving mass email harvesting and unauthorized access. The threat actors utilized stolen session tokens, proxy services, and VPNs to authenticate to victim Office 365 environments and exfiltrate data. Obrezko allegedly obtained critical infrastructure including a virtual private server and domain registration used in these attacks. FBI investigation linked Obrezko through cryptocurrency transactions, email accounts, phone numbers, and IP addresses to domains and infrastructure used in the intrusion campaign. Eleven U.S. companies have confirmed unauthorized access, representing only a fraction of suspected victims nationwide.

MediumCampaignUnited States#void blizzard#cryptocurrency#denis obrezko

A sophisticated Chinese-origin fraud operation is targeting FIFA World Cup 2026 attendees through pixel-perfect website clones and a multi-tenant phishing infrastructure. The actors deploy typosquatted domains and a commercially developed administrative system to mimic legitimate FIFA ticketing platforms. Technical analysis reveals high-fidelity brand cloning, real-time card skimming capabilities, and a distributed reseller ecosystem supporting at least 15 active operator instances. The platform functions as an active Man-in-the-Middle framework intercepting payment card details and bypassing SMS-based two-factor authentication in real time. Traffic is primarily driven through Facebook and Instagram in-app browsers. Simplified Chinese localizations and operator geolocations from IP addresses in China indicate PRC-based actors. The core payment routing hub tbpay[.]uk lacks financial regulatory authorization and has historical malicious patterns.

Multiple phishing campaigns are exploiting the FIFA World Cup 2026 event to target mobile users globally. These campaigns use typosquatting, institutional spoofing, and impersonation of major sports retailers to harvest credentials. A sophisticated recruitment fraud campaign also targets corporate Google Workspace accounts with an Adversary-in-the-Middle platform capable of bypassing MFA. Attack vectors include SMS, WhatsApp, and search engines, leveraging emotional urgency and ticket scarcity. This creates risks for enterprises as employees may access work resources via compromised personal devices.

The 2026 FIFA World Cup presents a concentrated attack surface spanning three nations, 16 cities, and billions of viewers. Cybercriminals have already launched phishing campaigns, fraudulent ticket sales, and brand impersonation schemes targeting governments, sponsors, broadcasters, transportation providers, and telecommunications companies. Financially motivated actors are exploiting tournament-related interest through credential theft and payment fraud. Hacktivist and state-aligned groups, including pro-Iranian actors like Handala and CyberAv3ngers, may conduct DDoS attacks, website defacements, or espionage operations amid heightened geopolitical tensions involving Iran, the United States, and Russia. Ransomware groups such as Qilin, DragonForce, Akira, and Play may target organizations reliant on continuous service availability. Thousands of FIFA-themed domains have been registered, many exhibiting characteristics associated with fraud campaigns. Organizations throughout the ecosystem face elevated ris...

On May 15, 2026, Huntress agents detected an intrusion where threat actors compromised a terminal server to stage a massive phishing campaign rather than deploy ransomware. The attacker used legitimate bulk email software (Gammadyne Mailer) with a project file named 'dracii' (Romanian for 'the devils') and six recipient lists containing 8,894,920 email addresses. Operating from Romanian IP addresses, the actor impersonated UK pharmacy chain Boots through a fake customer satisfaction survey designed to harvest personal and payment card data. The phishing kit was hosted on a compromised Bolivian government website (ipelc.gob.bo), which Huntress reported to Bolivia's national CSIRT. The campaign used direct-to-MX delivery to bypass mail relays, with the mailer configured to send from 666 threads simultaneously. Evidence suggests this Romanian operator has been running multiple UK-targeting campaigns since at least July 2025, rotating between retail, tax, and cryptocurrency themes.

SearchJack represents a coordinated campaign comprising 23 deceptive Chrome browser extensions that silently hijack users' default search engines, redirecting queries through monetization middleware before delivering results. These extensions masquerade as various productivity tools, satellite imagery viewers, maps, and news readers while their actual purpose is generating search affiliate revenue. The campaign affects approximately 758,000 users across 22 unique publishers and leverages at least 8 distinct monetization brokers, primarily routing traffic through Yahoo Hosted Search affiliate programs. The extensions employ manifest-only wrappers using chrome_settings_overrides to hijack search settings, with some implementing runtime obfuscation to evade static analysis. Several extensions feature false privacy claims, anomalous review patterns, and anonymous publishers with fictional corporate identities, enabling operators to monetize user search behavior while maintaining zero accountability.

An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated Phishing-as-a-Service operation deploying concurrent attack types from consolidated infrastructure.

Multiple malicious Chrome extensions are exploiting the growing use of AI platforms by disguising themselves as legitimate productivity tools while secretly stealing user conversations and personal data. Extensions including Urban VPN, Smart Sidebar, and AI Assistant/Chat AI collectively reach millions of users but contain hidden scripts that intercept communications with popular AI platforms like ChatGPT, Claude, DeepSeek, Gemini, and others. These extensions inject malicious JavaScript that overrides network requests, monitors DOM elements for chat interactions, and exfiltrates sensitive data including conversation content, session identifiers, and timestamps to remote servers. The threat is particularly concerning as users frequently share confidential personal, medical, and corporate information with AI platforms, making intercepted conversations highly valuable for threat actors.