Security Affairs

JULY 17, 2020

Experts that want to to study phishing attack schema and Kit-composition can use the recently PhishingKitTracker, which is updated automatically. If you are a security researcher or even a passionate about how attackers implement phishing you will find yourself to look for phishing kits. Disclaimer.

Phishing 356

Phishing File names Archiving IT 356

Security Affairs

APRIL 5, 2022

Ukraine CERT-UA spotted a spear-phishing campaign conducted by Russia-linked Armageddon APT targeting local state organizations. The phishing messages have been sent from “vadim_melnik88@i[.]ua,” The messages use the HTML-file “War criminals of the Russian Federation.htm” as attachment.

Military 346

Military Phishing Archiving File names 346

Security Affairs

JULY 28, 2024

On July 24, 2024, CrowdStrike experts identified a spear-phishing campaign targeting German customers by exploiting the recent issue with Falcon Sensor updates. ” The spear-phishing page includes the brands of the targeted company and CrowdStrike. “The website it[.]com min.js” to evade detection.

Passwords 359

Passwords Phishing File names Metadata 359

Security Affairs

MAY 17, 2024

The attack chain starts with the theft of the identity of a real person in South Korea, then the victims were contacted via Facebook Messenger. Threat actors pretended to share private documents they had written with the victims. “The initial individual approach is similar to an email-based spear phishing attack strategy.

File names 327

File names Phishing Communications Security 327

Security Affairs

SEPTEMBER 23, 2024

The threat actor used spear-phishing emails and exploited the recently patched GeoServer vulnerability CVE-2024-36401. is a Remote Code Execution (RCE) issue caused by unsafe evaluation of property names as XPath expressions. GeoServer is an open-source server that allows users to share and edit geospatial data.

Phishing 349

Phishing File names Cloud Government 349

Security Affairs

APRIL 14, 2020

PaloAlto Networks experts warn of malicious Coronavirus themed phishing campaigns targeting government and medical organizations. The attacks against the Canadian healthcare organizations were discovered between March 24 and March 26, they started with coronavirus -themed phishing campaigns that were carried out in the last months.

Ransomware 361

Ransomware Phishing Government File names 361

Security Affairs

OCTOBER 24, 2022

On October 21, 2022, the Ukraine CERT-UA uncovered a phishing campaign impersonating the Press Service of the General Staff of the Armed Forces of Ukraine. The phishing messages included a link to a third-party website for downloading a document titled ‘?????_309.pdf’

Ransomware 302

Ransomware Phishing File names IT 302

Security Affairs

MARCH 15, 2020

Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails. "Important The RAR archive contains a file named “Important – COVID-19” that displays a Word icon.

Communications 359

Communications File names Archiving Phishing 359

Security Affairs

FEBRUARY 17, 2022

Once an attacker obtained Microsoft 365 credentials, for example from a previous phishing campaign or data breach, that can access Teams and other Office applications. “Compounding this problem is the fact that default Teams protections are lacking, as scanning for malicious links and files is limited.

File names 363

File names Phishing Data breaches Access 363

Security Affairs

MAY 16, 2020

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief. Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign.

Phishing 348

Phishing File names Access Government 348

Security Affairs

APRIL 22, 2024

GooseEgg is usually deployed with a batch script, commonly named execute.bat or doit.bat. This script creates a file named servtask.bat, which includes commands for saving or compressing registry hives. Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

Military 357

Military File names Education Phishing 357

Security Affairs

MARCH 8, 2022

The attackers carried out both phishing campaigns and DDoS attacks. This activity ranges from espionage to phishing campaigns.” ” FancyBear has conducted several large credential phishing campaigns aimed at the users of Ukrainian media company UkrNet. ” wrote Shane Huntley, Google’s TAG lead.

Military 273

Military Phishing File names Government 273

Security Affairs

JANUARY 5, 2025

Google researchers analyzed a new malware family called PLAYFULGHOST that supports multiple features, including keylogging, screen and audio capture, remote shell, and file transfer/execution. The backdoor is distributed through: Phishing emails with themes such as code of conduct to trick users into downloading the malware.

File names 246

File names Archiving Phishing Encryption 246

Security Affairs

APRIL 2, 2019

Hacked websites were used for several malicious purposes, experts observed compromised WordPress and Joomla websites serving Shade /Troldesh ransomware, coin miners, backdoors, and some times were involved in phishing campaigns. The attackers use these locations to hide malware and phishing pages from the administrators.

CMS 280

CMS Phishing Ransomware File names 280

Security Affairs

SEPTEMBER 26, 2023

In August 2023 ThreatFabric discovered new samples distributed via phishing webpages designed to trick recipients into installing malicious APKs. “ThreatFabric was able to identify active campaigns distributing the malware via phishing pages. The list of targets is larger than previous versions.

Phishing 319

Phishing File names Manufacturing IT 319

Security Affairs

SEPTEMBER 12, 2019

Iran-linked Cobalt Dickens APT group carried out a spear-phishing campaign aimed at tens of universities worldwide. This operation is similar to the threat group’s August 2018 campaign , using compromised university resources to send library-themed phishing emails.” ” reads the analysis published by Secureworks.

Phishing 251

Phishing Libraries File names Metadata 251

Security Affairs

DECEMBER 15, 2021

A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named “Special discount program.zip”, suggesting that it arrived in a spear-phishing email.” The malicious archive was likely spread through spear-phishing messages. Evidence of a possible vector was found at only one target.

File names 282

File names Passwords Phishing Archiving 282

Security Affairs

SEPTEMBER 3, 2020

Attackers carried out spear-phishing emails using the Know Your Customer regulations (KYC) as a lure. The new infection chain starts by including just one LNK file in the ZIP archive attached to spear-phishing messages. The PyVil RAT was recently employed in attacks against FinTech companies across the U.K.

Phishing 363

Phishing Encryption File names Metadata 363

Security Affairs

FEBRUARY 26, 2020

During our Threat Intelligence activities we noticed a suspicions artifact named “ CoronaVirusSafetyMeasures_pdf ”, so, intrigued by its name and by its recent submission on Yomi Hunter ( LINK ), we decided to deep dive into it. Probably, the infection vector was a phishing mail containing a specific attachment. exe” appeared.

File names 355

File names Communications Encryption IT 355

Security Affairs

MARCH 28, 2022

Ukraine CERT-UA uncovered a spear-phishing campaign conducted by Belarus-linked GhostWriter APT group targeting Ukrainian state entities with Cobalt Strike Beacon. The phishing messages use a RAR-archive named “Saboteurs.rar”, which contains RAR-archive “Saboteurs 21.03.rar.”

Archiving 246

Archiving CMS File names Phishing 246

Security Affairs

JULY 19, 2022

The phishing messages included a link to a malicious HTML file ( EnvyScout ) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon. “Many of these documents appear to be phishing documents associated with common cybercrime techniques. The payload file is an ISO file named Agenda.iso.

Phishing 246

Phishing Cloud File names Metadata 246

Security Affairs

SEPTEMBER 12, 2022

Once obtained the credentials, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification started by the attacker. The content of these files match what we already identified and disclosed.” ” reads an update published by Cisco on September September 11, 2022.

Ransomware 286

Ransomware IT Authentication File names 286

Security Affairs

NOVEMBER 10, 2022

Mandiant researchers in early 2022 responded to an incident where the Russia-linked APT29 group (aka SVR group , Cozy Bear , Nobelium , and The Dukes ) successfully phished a European diplomatic entity. Then the attacker can write an arbitrary number of bytes to any file on the file system, posing as the victim account.

File names 342

File names Passwords Phishing Encryption 342

Security Affairs

NOVEMBER 20, 2018

The Russia-linked APT group delivers Cannon in a spear-phishing attack that targets government organizations in North America, Europe and in a former USSR state. Hackers used weaponized files named ‘crash list (Lion Air Boeing 737).docx’ docx’ for their campaigns.

File names 268

File names Phishing Communications Government 268

Security Affairs

NOVEMBER 7, 2019

Experts observed a new phishing campaign that used a specially crafted ZIP archive that was designed to bypass secure email gateways to distribute malware. Attackers have devised a new technique to distribute malware bypassing secure email gateways and other security solutions by using a specially crafted ZIP file.

Archiving 279

Archiving Security File names Phishing 279

Security Affairs

FEBRUARY 23, 2020

The threat actor uses phishing messages with weaponized Microsoft Office documents to deliver the RAT. The maldocs used in this campaign have benign file names such as “Company-Terms.doc”, “DOT_JD_GM.doc.” ” The most recent campaign started in January 2020 and is still ongoing.

Government 362

Government File names Passwords Phishing 362

Security Affairs

APRIL 24, 2021

Threat actors behind ToxicEye spread the RAT via phishing emails containing a malicious.exe file. “The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.exe’).

Communications 334

Communications File names Encryption Education 334

Security Affairs

JULY 22, 2019

“In late June 2019, FireEye identified a phishing campaign conducted by APT34, an Iranian-nexus threat actor.” The phishing campaign primarily targeted organizations in the energy and oil and gas, along with government entities. The fake profiles asked the victims to open the weaponized excel file named ERFT-Details.

File names 278

File names Phishing Government Passwords 278

Security Affairs

OCTOBER 28, 2018

Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html /javascript code that will be running in the background and could potentially lead to further code execution scenarios.”

File names 279

File names Phishing Security IT 279

Security Affairs

DECEMBER 8, 2021

By getting their hands on Microsoft Vancouver’s WordPress login, phishers could use the original Microsoft domain to carry out massive phishing campaigns that would bypass phishing filters. Such phishing messages would be displayed as legitimate emails coming from Microsoft.

Passwords 277

Passwords Metadata File names Phishing 277

Security Affairs

MARCH 18, 2022

Google recently announced to have blocked a phishing campaign originating conducted by China-linked cybereaspionage group APT31 (aka Zirconium , Judgment Panda, and Red Keres) and aimed at Gmail users associated with the U.S. government.

Government 282

Government File names Phishing Security 282

Security Affairs

FEBRUARY 3, 2023

The attack chain starts with spear-phishing messages with a.RAR attachment named “12-1-125_09.01.2023.” The.RAR archive contains the.LNK file named “Запит Служба безпеки України 12-1-125 від 09.01.2023.lnk” GammaSteel is a PowerShell script used to conduct reconnaissance and execute additional commands.

File names 246

File names Archiving Phishing Government 246

IT Governance

AUGUST 10, 2021

Welcome to August’s review of phishing scams, in which we look at criminals’ latest tactics and provide examples of successful frauds. Microsoft issues alert about “crafty” phishing scams. Security researchers at Microsoft are again warning users about phishing scams imitating SharePoint.

Phishing 111

Phishing File names Security Risk 111

Security Affairs

MAY 29, 2020

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader. . Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe. Introduction. The following picture reports the infection chain used in this campaign: Figure 2: Infection Chain.

File names 302

File names IT Phishing Marketing 302

Security Affairs

JANUARY 5, 2020

Files names and paths observed in numerous campaigns conducted by the operator revealed a link to the scat01 and SoftEgorka nicknames, the vitasa01 [ @ ] yandex. According to the experts, the same individual was responsible for phishing attacks and scam attempts on his forum mates.” ru website. .”

Encryption 239

Encryption Ransomware IT Phishing 239

Security Affairs

APRIL 18, 2021

The phishing messages include links pointing to Slack or BaseCamp cloud storage, for this reason, they don’t raise suspicion when are received by employees working at an organization that uses the above services. Some of the files’ names observed by the experts are presentation-document.exe, preview-document-[number].exe

File names 338

File names Ransomware Phishing Encryption 338

Security Affairs

OCTOBER 10, 2018

” Gallmaker uses spear phishing messages using a weaponized Office document that uses the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted device. Rather, the attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools.”

Military 268

Military File names Government Libraries 268