Search results for multi-stage chain attacks | Breaking Cybersecurity News | The Hacker News

Multi-stage cyber attacks, characterized by their complex execution chains, are designed to avoid detection and trick victims into a false sense of security. Knowing how they operate is the first step to building a solid defense strategy against them. Let's examine real-world examples of some of the most common multi-stage attack scenarios that are active right now. URLs and Other Embedded Content in Documents Attackers frequently hide malicious links within seemingly legitimate documents, such as PDFs or Word files. Upon opening the document and clicking the embedded link, users are directed to a malicious website. These sites often employ deceptive tactics to get the victim to download malware onto their computer or share their passwords. Another popular type of embedded content is QR codes. Attackers conceal malicious URLs within QR codes and insert them into documents. This strategy forces users to turn to their mobile devices to scan the code, which then directs them to ph...

Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware. "The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems," Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week. The "broad and sustained" campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, such as SMTP email bomber and Sakura-RAT, but harbored within their Visual Studio project configuration files malicious payloads that are designed to siphon sensitive data. Water Curse's arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with "develope...

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is  tracking  the attack event under the moniker  UNC4736 ,  said  the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack." The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it  emerged  that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer. "The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CI...

Threat actors are leveraging an artificial intelligence (AI) powered presentation platform named Gamma in phishing attacks to direct unsuspecting users to spoofed Microsoft login pages. "Attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal," Abnormal Security researchers Callie Hinman Baron and Piotr Wojtyla said in a Tuesday analysis. The attack chain commences with a phishing email, in some cases sent from legitimate, compromised email accounts, to entice message recipients into opening an embedded PDF document. In reality, the PDF attachment is nothing but a hyperlink that, when clicked, redirects the victim to a presentation hosted on Gamma that prompts them to click on a button to "Review Secure Documents." Doing so takes the user to an intermediate page that impersonates Microsoft and instructs them to complete a Cloudflare Turnstile verification step before accessing...

An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa. The activity has been attributed to a group tracked as SideWinder , which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. "The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations," Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov said . Targets of the attacks include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, the...

The threat actor behind the attacks on  Twilio  and  Cloudflare  earlier this month has been linked to a broader phishing campaign aimed at 136 organizations that resulted in a cumulative compromise of 9,931 accounts. The activity has been condemned  0ktapus  by Group-IB because the initial goal of the attacks was to "obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations." Calling the attacks well designed and executed, the Singapore-headquartered company said the adversary singled out employees of companies that are customers of identity services provider Okta. The modus operandi involved sending targets text messages containing links to phishing sites that impersonated the Okta authentication page of the respective targeted entities. "This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations," Group-IB  said ...

The China-linked threat actor known as  Evasive Panda  orchestrated both watering hole and supply chain attacks targeting Tibetan users at least since September 2023. The end goal of the attacks is to deliver malicious downloaders for Windows and macOS that deploy a known backdoor called MgBot and a previously undocumented Windows implant known as Nightdoor. The findings come from ESET, which said the attackers compromised at least three websites to carry out watering-hole attacks as well as a supply-chain compromise of a Tibetan software company. The operation was discovered in January 2024. Evasive Panda, active since 2012 and also known as Bronze Highland and Daggerfly, was  previously disclosed  by the Slovak cybersecurity firm in April 2023 as having targeted an international non-governmental organization (NGO) in Mainland China with MgBot. Another report from Broadcom-owned Symantec around the same time  implicated  the adversary to a cyber espi...

The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures. "LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," the Google Threat Intelligence Group (GTIG) said . The malware, the company said, was observed in January, March, and April 2025 in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. In addition, individuals connected to Ukraine have also been singled out. LOSTKEYS is the second custom malware attributed to COLDRIVER after SPICA , marking a continued departure from the credential phishing campaigns the threat actor has been known for. The hacking group is also tracked under the names Callisto, Star Blizzard, and UNC4057. "They ar...

In cybersecurity, the smallest crack can lead to the biggest breaches. A leaked encryption key, an unpatched software bug, or an abandoned cloud storage bucket—each one seems minor until it becomes the entry point for an attack. This week, we've seen cybercriminals turn overlooked weaknesses into major security threats, proving once again that no system is too small to be targeted. The question isn't whether attackers will find a way in—it's whether you'll be prepared when they do. Let's break down what you need to know. ⚡ Threat of the Week Microsoft Warns of Attacks Exploiting ASP.NET Machine Keys — Threat actors are exploiting publicly disclosed ASP.NET machine keys to inject and execute malicious code responsible for launching the Godzilla post-exploitation framework. Microsoft said it has identified over 3,000 publicly disclosed keys that could be used for these types of attacks dubbed ViewState code injection. The company also said it removed key-related artifacts from ...

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. The starting point of the attack is a deceptive email that poses as an order request to deliver a malicious 7-zip archive attachment, which contains a JavaScript encoded (.JSE) file. The phishing email, observed in December 2024, falsely claimed that a payment had been made and urged the recipient to review an attached order file. Launching the JavaScript payload triggers the infection sequence, with the file acting as a downloader for a PowerShell script from an external server. The script, in turn, houses a Base64-encoded payload that's subsequently deciphered, written to the Wi...

Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT . The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload that's designed to download and execute the main malware. "NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said . There is little evidence at this stage to tie the campaign to any known threat group or country. The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes ...

Various industrial organizations in the Asia-Pacific (APAC) region have been targeted as part of phishing attacks designed to deliver a known malware called FatalRAT. "The threat was orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure," Kaspersky ICS CERT said in a Monday report. "The attackers employed a sophisticated multi-stage payload delivery framework to ensure evasion of detection." The activity has singled out government agencies and industrial organizations, particularly manufacturing, construction, information technology, telecommunications, healthcare, power and energy, and large-scale logistics and transportation, in Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong. The lure attachments used in the email messages suggest that the phishing campaign, dubbed Operation SalmonSla...