Phishing | Breaking Cybersecurity News | The Hacker News

Multiple suspected Russia-linked threat actors are "aggressively" targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025. The highly targeted social engineering operations, per Volexity, are a shift from previously documented attacks that leveraged a technique known as device code phishing to achieve the same goals, indicating that indicating that the Russian adversaries behind these campaigns are actively refining their tradecraft to fly under the radar. "These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code," security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster said in an exhaustive analysis. At least two different threat clusters tracked as UTA0352 and UTA03...

As SaaS and cloud-native work reshape the enterprise, the web browser has emerged as the new endpoint. However, unlike endpoints, browsers remain mostly unmonitored, despite being responsible for more than 70% of modern malware attacks . Keep Aware's recent State of Browser Security report highlights major concerns security leaders face with employees using the web browser for most of their work. The reality is that traditional security tools are blind to what happens within the browser , and attackers know it. Key Findings: 70% of phishing campaigns impersonate Microsoft, OneDrive, or Office 365 to exploit user trust. 150+ trusted platforms like Google Docs and Dropbox are being abused to host phishing and exfiltrate data. 10% of AI prompts involve sensitive business content, posing risks across thousands of browser-based AI tools. 34% of file uploads on company devices go to personal accounts, often undetected. New Attack Patterns Bypass Traditional Defenses From phis...

In what has been described as an "extremely sophisticated phishing attack," threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. "The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com," Nick Johnson, the lead developer of the Ethereum Name Service (ENS), said in a series of posts on X. "It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts." The email message informs prospective targets of a subpoena from a law enforcement authority asking for unspecified content present in their Google Account and urges them to click on a sites.google[.]com URL in order to "examine the case materials or take measures to submit a protest." The Google Si...

Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access. The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC). "In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708)," the South Korean cybersecurity company said . "While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use." CVE-2019-0708 (CVSS score: 9.8) is a critical wormable bug in Remote Desktop Services that could enable remote code execution, allowing unauthenticated attackers to install arbitrary programs, access data, and even create new accounts with full user rights. However, in order for an adversary to exploit the flaw, they would need to send a specially crafted...

A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication ( NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said . The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp mess...

Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated with a Russian bulletproof hosting service provider named Proton66 . The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week.  "Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts," security researchers Pawel Knapczyk and Dawid Nesterowicz said . "Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years." The Russian autonomous system Proton66 is assessed to be linked to another autonomous system named PROSPERO. Last year, French security firm Intrinsec detailed their connections to bulletproof services marketed on Russian cybercrime forums under ...

The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER. "While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery," Check Point said in a technical analysis published earlier this week. "Despite differing roles, both share similarities in code structure, obfuscation, and string decryption. GRAPELOADER refines WINELOADER's anti-analysis techniques while introducing more advanced stealth methods." The use of WINELOADER was first documented by Zscaler ThreatLabz in February 2024, with the attacks leveraging wine-tasting lures to infect diplomatic staff systems. While the campaign was first attributed to a threat activity...

Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024. "The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by 'Wang Duo Yu,'" Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence. The phishing campaigns , per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat. It's worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-b...

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. The starting point of the attack is a deceptive email that poses as an order request to deliver a malicious 7-zip archive attachment, which contains a JavaScript encoded (.JSE) file. The phishing email, observed in December 2024, falsely claimed that a payment had been made and urged the recipient to review an attached order file. Launching the JavaScript payload triggers the infection sequence, with the file acting as a downloader for a PowerShell script from an external server. The script, in turn, houses a Base64-encoded payload that's subsequently deciphered, written to the Wi...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager ( NTLM ) hash disclosure spoofing bug that was patched by Microsoft last month as part of its Patch Tuesday updates. NTLM is a legacy authentication protocol that Microsoft officially deprecated last year in favor of Kerberos. In recent years, threat actors have found various methods to exploit the technology, such as pass-the-hash and relay attacks, to extract NTLM hashes for follow-on attacks. "Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network," CISA said. In a bulletin published in March, Mi...

Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over a three-month period from late 2024 through the beginning of 2025. The phishing campaigns adopting the strategy have been attributed to clusters tracked as TA427 (aka Kimsuky), TA450 (aka MuddyWater), UNK_RemoteRogue, and TA422 (aka APT28). ClickFix has been an initial access technique primarily affiliated with cybercrime groups, although the effectiveness of the approach has led to it also being adopted by nation-state groups. "The incorporation of ClickFix is not revolutionizing the campaigns carried out by TA427, TA450, UNK_RemoteRogue, and TA422 but instead is replacing the installation and execution stages in existing infection chains," enterprise security firm Proofpoint said in a report published today. ClickFix , in a nutshell, refers to a sneaky technique that tricks users int...

Talking about AI: Definitions Artificial Intelligence (AI) — AI refers to the simulation of human intelligence in machines, enabling them to perform tasks that typically require human intelligence, such as decision-making and problem-solving. AI is the broadest concept in this field, encompassing various technologies and methodologies, including Machine Learning (ML) and Deep Learning. Machine Learning (ML) — ML is a subset of AI that focuses on developing algorithms and statistical models that allow machines to learn from and make predictions or decisions based on data. ML is a specific approach within AI, emphasizing data-driven learning and improvement over time. Deep Learning (DL) — Deep Learning is a specialized subset of ML that uses neural networks with multiple layers to analyze and interpret complex data patterns. This advanced form of ML is particularly effective for tasks such as image and speech recognition, making it a crucial component of many AI applications. Larg...