Many major organizations appear to have been targeted in an Okta SSO vishing campaign tied to ShinyHunters that involved fake domains and leaked data listings. Security firms warn attackers used real-time client-side phishing kits to intercept credentials and bypass MFA, urging adoption of phishing-resistant methods like FIDO2 and tighter app and…
Tag: INITIAL ACCESS
Zscaler ThreatLabz identified two Pakistan-linked campaigns in September 2025—Gopher Strike and Sheet Attack—targeting Indian government entities and using novel Golang tools and private GitHub repositories for C2 and payload staging. The Gopher Strike chain uses spearphishing PDFs leading to an ISO that delivers a Golang downloader (GOGITTER), a GitHub-based backdoor (GITSHELLPAD), and a Golang shellcode loader (GOSHELL) that ultimately deploys a Cobalt Strike Beacon. #GOGITTER #GITSHELLPAD #GOSHELL #CobaltStrike #APT36 #IndianGovernment
OT incidents rarely begin with targeted process attacks; they arise from common enterprise weaknesses—shared credentials, permissive remote management, weak IT–OT boundaries, and limited operational visibility—that allow IT compromises to become OT outages. Treating recovery and containment as security controls (locking down management planes, extending detection into OT-adjacent systems, and ensuring tamper‑resistant backups) is the decisive factor in limiting operational impact. #Sygnia #JumpServers
BravoX is a newly observed Ransomware-as-a-Service operation that publicly surfaced on January 23, 2026 after posting a Tor address on the RAMP forum and launching a TOR-based data leak site. The operation currently lists three alleged U.S. victims (two healthcare, one retail) and is advertising a selective affiliate model to scale its activities. #BravoX #RAMP
FortiGuard Labs describes a multi-stage Windows-focused campaign that uses social-engineered archives and LNK-triggered PowerShell to deploy staged loaders, abuse Defendnot to disable Microsoft Defender, install Amnesia RAT for extensive data theft and surveillance, and finally deliver Hakuna Matata–derived ransomware and a WinLocker to encrypt and lock victims’ systems. The operation leverages GitHub and Dropbox for modular hosting and the Telegram Bot API for C2 and exfiltration, while using registry and policy manipulation to suppress defenses and destroy recovery options. #Defendnot #AmnesiaRAT
North Korean-linked group Konni (Opal Sleet, TA406) is deploying AI-generated PowerShell backdoors to target developers and engineers in the blockchain sector across the Asia-Pacific region. The campaign uses Discord-hosted lures, LNK/DOCX/CAB loaders, UAC bypasses, scheduled tasks, and XOR-encrypted in-memory execution to maintain persistence and execute C2-issued code. #Konni #PowerShell
Check Point Research identified a KONNI-linked phishing campaign targeting blockchain developers across the APAC region that uses Discord-hosted lures and weaponized LNK shortcuts to deploy a multi-stage infection chain. The operation deploys an AI-generated, obfuscated PowerShell backdoor, leverages UAC bypass and scheduled-task persistence, and communicates with a PHP-based C2 protected by a JavaScript/AES challenge. #KONNI #SimpleHelp
Unknown attackers abused Microsoft SharePoint file-sharing links to phish credentials and take over corporate email accounts at multiple energy-sector organizations, then used those accounts to send hundreds of phishing messages to internal and external contacts. Attackers created inbox rules, deleted evidence, and could persist by tampering with MFA and access controls,…
Anubis (formerly Sphinx) is a Ransomware-as-a-Service operation first observed in late 2024 that combines standard file encryption with an optional destructive wipe mode, permanently destroying data and removing decryption as a guaranteed outcome. Its affiliate-driven model and parallel monetization channels (data extortion and access resale) let operators choose between encryption, data-only extortion, or selling access, concentrating on high-value targets and controlled, high-impact intrusions. #Anubis #Sphinx
eSentire TRU uncovered a multi-stage espionage campaign targeting residents of India that uses phishing lures impersonating the Income Tax Department to deliver a DLL side-loading loader which fetches shellcode, bypasses UAC via a COM elevation moniker, and ultimately deploys a repurposed SyncFuture TSM platform for persistent remote surveillance. The intrusion chain includes anti-analysis, PEB process masquerading, Avast-specific GUI automation to create antivirus exclusions, service-based Safe Mode persistence, and multiple signed binaries and certificates abused to appear legitimate. #Blackmoon #SyncFuture
Researchers disclosed a new ransomware family called Osiris that struck a major food service franchisee in Southeast Asia in November 2025, leveraging a custom driver named POORTRY in a BYOVD-style attack to disable security and exfiltrate data to Wasabi cloud buckets. Osiris uses hybrid per-file encryption, can stop services and kill…
Remcos and NetSupport Manager were deployed via a multi-stage infection chain that relied exclusively on Windows built-in utilities (LOLBins) to evade detection and persist. The attack used forfiles, mshta, PowerShell curl and tar, scripting engines, and stealthy registry persistence before Malwarebytes detected and blocked the intrusion. #Remcos #NetSupportManager…
Microsoft Defender researchers uncovered a multi-stage adversary‑in‑the‑middle (AiTM) phishing and BEC campaign that used compromised trusted vendor SharePoint links to harvest credentials, steal session cookies, create malicious inbox rules, and send large‑scale phishing to internal and external contacts, compromising multiple accounts in the energy sector. Remediation requires more than password resets—organizations must revoke active session cookies, remove attacker‑created inbox rules, enforce MFA/conditional access, and use Defender XDR detection and ZAP to contain and remediate the campaign. #AiTM #SharePoint
BlackSuit is an evolution of the Royal ransomware family active since at least May 2023, using phishing for initial access, extensive data exfiltration, a double-extortion model, and a configurable partial-encryption approach to speed encryption and reduce detection. AttackIQ released an emulation based on CISA and DFIR reporting to help organizations validate…
Episode 4 of the Charming Kitten / APT35 leaks exposes not sophisticated zero-day exploits but the bureaucratic infrastructure—spreadsheets, invoices, crypto receipts, hosting accounts, and one-time ProtonMail identities—that fund, procure, and maintain Iranian cyber operations. The documents tie APT35’s procurement and payment chains to Moses Staff’s leak domains and operational tooling, showing micro-crypto payments via Cryptomus, recurring European VPS providers (EDIS, Impreza), and repeatable, auditable workflows that convert state intent into persistent infrastructure. #APT35 #MosesStaff