Threats Tagged 't1213'

On June 11, 2026, the Icarus threat group compromised Klue's backend systems, a market intelligence platform used by hundreds of enterprises to sync competitive battlecard data with CRM environments. The attackers exploited a dormant credential from an abandoned prototype integration to harvest OAuth tokens for Salesforce and Gong. Through automated API calls using Python scripts, the group exfiltrated CRM data including business contacts, price quotes, and sales communications from multiple customer Salesforce organizations. Klue detected the anomalous activity on June 12 and revoked OAuth credentials on June 13. The attackers subsequently launched an extortion campaign starting June 16, demanding victims contact them via Session Messenger within 48 hours.

An active malware campaign is targeting Thailand's healthcare sector, including Ministry of Health personnel and affiliated organizations. The operation leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, and persistence mechanisms. The final payload is a Python-based information stealer designed to harvest browser credentials, session data, and cookies, with exfiltration attempts through Telegram Bot API. The campaign demonstrates sophisticated tradecraft including Rouki-obfuscated batch loaders, Startup folder persistence, and bundled Python interpreters. Active operational window spans from April to June 2026, with all samples uploaded from Thailand.

MediumMalwareThailand#batch script obfuscation#github payload hosting#python stealer

In June 2026, a compromised Klue competitive-intelligence platform integration was exploited to exfiltrate customer relationship management data from enterprise Salesforce environments. Attackers authenticated through compromised Klue service accounts, generated OAuth tokens, and executed automated Python scripts to conduct bulk data extraction via Salesforce REST API queries over approximately 24 hours. The activity included concentrated bursts of nearly a thousand queries within 15 minutes and sustained extraction windows exceeding 6 hours. This incident follows similar third-party OAuth-abuse campaigns targeting Salesforce through Salesloft Drift and Gainsight integrations throughout 2025 and 2026. While the tactics resemble operations attributed to ShinyHunters and UNC6395 threat groups, attribution remains uncertain. The initial access vector, full scope of exfiltration, and attacker intent are still under investigation, with no extortion demands observed to date.

A sophisticated espionage campaign attributed to UNC6508, a China-nexus threat actor, targeted North American academic, medical, and military research institutions for over a year. The adversary exploited REDCap servers, deployed custom INFINITERED malware to harvest credentials, and maintained persistent access through trojanized legitimate files that survived software upgrades. After remaining undetected for more than a year, the threat actor pivoted to administrative accounts and created malicious content compliance rules to silently exfiltrate emails containing defense intelligence, Indo-Pacific command operations, artificial intelligence research, uncrewed vehicle systems, cyber programs, and medical research data. The operation employed sophisticated techniques including obfuscation networks routing through US-based infrastructure, compromised routers, and dedicated exfiltration accounts, demonstrating advanced operational security aligned with strategic intelligence collection requirements.

MediumMalwareUnited StatesCanada#medical research targeting#unc6508#infinitered

An FBI investigation identified Denis Nikolayevich Obrezko, a Russian national, as facilitating cyber intrusions conducted by the Russia-aligned threat group Void Blizzard. Between June and July 2024, multiple U.S. companies across various sectors were targeted in a large-scale cyber espionage campaign involving mass email harvesting and unauthorized access. The threat actors utilized stolen session tokens, proxy services, and VPNs to authenticate to victim Office 365 environments and exfiltrate data. Obrezko allegedly obtained critical infrastructure including a virtual private server and domain registration used in these attacks. FBI investigation linked Obrezko through cryptocurrency transactions, email accounts, phone numbers, and IP addresses to domains and infrastructure used in the intrusion campaign. Eleven U.S. companies have confirmed unauthorized access, representing only a fraction of suspected victims nationwide.

MediumCampaignUnited States#void blizzard#cryptocurrency#denis obrezko

SearchJack represents a coordinated campaign comprising 23 deceptive Chrome browser extensions that silently hijack users' default search engines, redirecting queries through monetization middleware before delivering results. These extensions masquerade as various productivity tools, satellite imagery viewers, maps, and news readers while their actual purpose is generating search affiliate revenue. The campaign affects approximately 758,000 users across 22 unique publishers and leverages at least 8 distinct monetization brokers, primarily routing traffic through Yahoo Hosted Search affiliate programs. The extensions employ manifest-only wrappers using chrome_settings_overrides to hijack search settings, with some implementing runtime obfuscation to evade static analysis. Several extensions feature false privacy claims, anomalous review patterns, and anonymous publishers with fictional corporate identities, enabling operators to monetize user search behavior while maintaining zero accountability.

The hospitality and travel sector experienced a dramatic surge in cyberattacks, with organizations facing an average of 2,291 weekly attacks in May 2026, representing a 24% year-over-year increase and a cumulative 122% rise since 2023. Cybercriminals registered 47,318 travel-related domains in May 2026 alone, with one in every 112 classified as malicious or suspicious. Three coordinated bulk-registration campaigns were identified, including sequential hotel-lure domains, American Express and Lloyds Travel Choice impersonations, and widespread Fora Travel brand abuse across 108 TLDs. Active phishing operations target major platforms including Booking.com, Airbnb, and Skyscanner through lookalike domains designed to harvest credentials and payment information. These attacks deliberately intensify during peak summer booking season when travelers are distracted and eager for deals, exploiting the industry's high volume of personal and financial data processing.

A sophisticated supply chain attack campaign has expanded to 471 affected artifacts across npm and PyPI, targeting developers through malicious packages. The campaign uses three distinct delivery methods: executable .pth startup hooks, trojanized native .abi3.so extensions that execute at import time, and a split loader-payload architecture that searches Python's sys.path. Twenty-three newly identified PyPI packages masquerade as bioinformatics tools, AI frameworks, and popular libraries like requests and Flask. The attack deploys heavily obfuscated JavaScript stealers via Bun runtime, harvesting high-value credentials including GitHub tokens, npm registry access, cloud credentials, SSH keys, and CI/CD secrets. The malware employs anti-analysis techniques with fake LLM prompt-injection headers designed to disrupt AI-assisted security scanners, while targeting developer workstations and automated build environments.

A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character campaign identifier, targeting government portals, traffic police departments, postal services including DPD and SEUR, tax authorities, and telecommunications providers like T-Mobile and Vodafone. The infrastructure utilizes 32 backend IP addresses distributed across Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Threat actors employ two distinct phishing templates: a Vue.js single-page application and a Bootstrap-based clone, executing a four-stage credential harvesting process that collects complete payment card details through fabricated traffic fines, toll payments, and delivery notifications.

MediumCampaignUnited StatesAlbaniaArmenia+16#smishing#government impersonation#credential harvesting