🚨 #Malspam Alert: Don't let this fake #ZoomMeeting invite catch you off guard. This latest campaign uses convincing Zoom-themed lures to trick recipients into downloading malicious software. Clicking "Join Meeting" downloads ZoomConnect_Update.msi, which installs an abused #PDQ Connect. This fits a broader trend where threat actors abuse a range of legitimate RMM tools and take advantage of their off-the-shelf remote access capabilities for unauthorized control. 🔎IoCs: hxxps://linkly[.]link/2kFwq hxxps://zoom[.]zoommeetingnow[.]com/zoom.html ZoomConnect_Update.msi c6cf66604dde5b8a9c5ab58e48e640a17951dfcf 02ad7e9c3a028d112b9ce04b2a88040285e3119e061d3260ed8078aed7f78610

🪝#Phishing Alert: We detected a new device‑code phishing campaign abusing a #Thryv marketing redirect in fake file‑share emails. The campaign targets #Microsoft accounts, routing victims through a Microsoft-branded anti-bot page before being presented with a device-code phishing lure designed to enable account compromise. #MailMarshal’s D‑Fence ML flagged a high volume of campaign-related samples. IOCs: celestinosantos[.]pt/wp-content/upgrade/ gogo4wz6qn[.]billbutterworth[.]com Abused infrastructure: clickme[.]thryv[.]com

Sapphire Sleet is swapping exploits for trust: signed apps → native tools → zero friction → full compromise. Script Editor ➝ osascript ➝ curl Finder ➝ TCC.db rewrite LaunchDaemon ➝ in‑memory beacon hubs.ly/Q04jLMj30

Physical access attacks just got boring...and that’s the problem. YellowKey abuses WinRE and deprecated-but-still-live TxF to unlock BitLocker‑protected volumes before the OS loads. Add GreenPlasma and MiniPlasma, and you’ve got a clean chain from reboot → SYSTEM. Recovery environments aren’t neutral. They’re trusted. hubs.ly/Q04hX54-0

Meet....The Gentlemen: a high-volume extortion operation that went from "new name" to top-two global activity in less than a year. It's not even really the malware that stands out, but the model: ▪️Affiliate-driven scale with batch disclosures ▪️Data theft as the main pressure point (not a side quest) ▪️Short time-to-encryption fueled by exposed perimeter access valid creds They've already claimed 352 victims and IR telemetry suggests that just the tip of the iceberg (many intrusions never hit the leak site at all). Let's break down the defensive takeaways: hubs.ly/Q04hHxMn0

Here's what you need to know about #YellowKey and #GreenPlasma: 🟡 YellowKey is a WinRE abuse that lets anyone with physical access a USB walk straight past BitLocker. No creds. No TPM bypass. Encryption at rest becomes optional. 🟢 GreenPlasma is a privilege escalation flaw abusing the trusted CTFMON process to jump from standard user to SYSTEM on fully patched Windows systems. The takeaway? These bugs don't "break" Windows, they exploit what Windows already trusts. Let's break it down: hubs.ly/Q04hFLRh0

Your EDR trusts it. Your safelisting allows it. That’s why attackers love Electron. Our Purple Team report breaks down how trusted Electron apps are quietly backdoored or hollowed out (staying functional while running C2 in plain sight). hubs.ly/Q04gcNMn0

Nothing screams “malware” like… MicrosoftToolkit.exe? 🤔 This multi‑stage loader blended in, unpacked itself piece by piece, and used an AutoIt script to phone home (courtesy of Telegram and Steam). Let's break down exactly how this loader delivers Vidar and why defenders can't afford to ignore "legit" tools anymore: hubs.ly/Q04gcM2L0

Your biggest hotel breach might start...at the gym? 🏋️ A smart stationary bike. 🚲 An open Ethernet port. 🔌 A straight line to PCI systems and RCE. ⛓️ It's what our experts found in a recent assessment: unsecured IoT gym equipment that became a launchpad for lateral movement into internal admin networks. No malware, no phishing, no alarms. Just overlooked infrastructure doing exactly what it was allowed to do. Review our findings: hubs.ly/Q04dWyzD0

Remote access trojans have been quietly evolving for decades. KarstoRAT didn’t get the memo to stay subtle. 🤫 From webcam hijacking and token theft to flipping desktops upside down (literally), this novel RAT blends serious espionage with psychological disruption, using a fake Roblox marketplace as the front door. Our experts pulled it apart piece by piece: C2 infrastructure, persistence tricks, exfil paths, and the “why” behind its design, below. ⤵️ levelblue.com/blogs/spiderla… #KarstoRAT #cybersecurity #cyberthreat #SpiderLabs #malware #trojans

Tax Pros: Stay alert! 🚨 A #phishing campaign is impersonating the #IRS with fake EFIN abuse notices. Attackers leverage SVG smuggling to deliver ScreenConnect, a legitimate remote access tool abused to gain unauthorized control of victim systems. IRS-themed lures surge every #tax season, this is your reminder to verify before you click. #IoCs: hxxps[://]pub-f939dbd3723046e2b8e8278cdabd5d4b[.]r2[.]dev/index[.]html (SVG Smuggling Payload URL) hxxps[://]internal-revenue-service-irs-documents-secure-79028847[.]yaxlore[.]cfd (Captcha/Redirect Page) hxxps[://]pub-a625ce3253bb4d1cba97c1dc4f7b198b[.]r2[.]dev/11[.]cmd (Stage 2 CMD Download) hxxps[://]pub-a625ce3253bb4d1cba97c1dc4f7b198b[.]r2[.]dev/SC[.]msi (ScreenConnect MSI Download) e2c52aa56895930ab8211f8748f79292ad52197619b98d8daa85f354a3c3eb69 (86586960EFIN-ACTIVITY.svg) 7d2e115c52155f376ce5bf64fb903776943843ea3f6e84571e0d73fc23b93df5 (EFIN ACTIVITY 2026 SUMMARY.cmd, Stage 1 CMD) 164169a692e66dc16df6c5e42b72cd5b7d661ac25469d4b0a600356a0517c706 (11.cmd, Stage 2 CMD) 29b046ea1451b5fb2d96ade7c0fb56a4b4425a19b08d6326c4241577a882c2c8 (SC.msi, ScreenConnect)

The attacker didn’t send a link. It made a phone call. 📲 Okta vishing is redefining initial access: no malware, no phishing kits, just social engineering aimed straight at your identity provider and designed to (almost) entirely bypass standard endpoint defenses. If your threat model still starts with email, you’re behind. hubs.ly/Q04bM3MC0

🪝#Phishing Alert: A recent #Tycoon2FA phishing campaign uses imageless QR codes constructed using HTML tables embedded in the email body. Individual table cells are colored black (#000000) or white (#FFFFFF) to represent the modules. When scanned, the rendered QR code redirects to a fake @Microsoft 365 login page. IOCs: hxxps://scanqrcode[.]corpsfileshare[.]com/ hxxps://corpsfileshare[.]sevroni[.]com/ hxxps://kazioya[.]ru/

A compromised CPUID HWMonitor installer was observed delivering a fileless malware chain using MSBuild and regsvr32 to execute Clippy.sct. The script encodes the payload as IPv6 data, reconstructs it into a .NET assembly, and executes it via deserialization. hubs.ly/Q04brvkW0

No zero-days. No custom malware. Still effective. ERRTraffic v3 shows how far attackers can go by: 🔺Hosting payload logic inside Ethereum smart contracts 🔺Using ClickFix to turn “helpful” user action into execution 🔺Rotating infrastructure without touching traditional hosting The campaign succeeds not because defenses are broken, but because nothing “looks” malicious enough to stop. levelblue.com/blogs/spiderla…

Threat actors are abusing legitimate @Meta #Facebook Business Manager partner request notifications to deliver phishing emails. While messages originate from trusted infrastructure, attackers manipulate account names with lure-driven content to embed #phishing links. In this example, #MailMarshal detected a campaign leading to fake Facebook Help landing pages designed to harvest user data, page details, passwords, and 2FA codes. 🔎 IOCs: aisupportpage[.]online helpforpage[.]online pagereport[.]online pagereview[.]online pagesactnow[.]help pageshub[.]click

MAC randomization was supposed to protect privacy...turns out, signal strength has other plans. RF power levels can be used to passively track devices, even when MAC addresses are randomized. It's a smart reminder that security controls don't exist in isolation and attackers love the gaps between them. hubs.ly/Q04978pt0

⚠️ #MalspamAlert: Shipment-themed campaign impersonating a logistics company delivering STRRAT via JAR loader. The lure references shipping documents and a Bill of Lading to pressure recipients into opening the attachment. The attached JAR file acts as a loader, pulling a second-stage JAR from a remote staging server that deploys the STRRAT RAT. Persistence is established through Run registry keys and scheduled tasks. STRRAT enables credential theft, keylogging, and remote access. IOCs: JAR Loader (00192910302FCL.jar) 4898b9c79f4c7fe2abaf251167fe2c3ede4e6e4493d2e15ec8ca9f06ba231339fb1e28d37d5c8cfa78440aa299a33876 STTRAT 67299adbcb422b3bb5191206af392a563dc85de237521ccd780df7ed8236de0c07b3f30bfa5704d24c745b2d424ad166 Staging URL: hxxp[://]45[.]153[.]34[.]209:5001/storage/06d00e3f266343c0.jar C2: strigsfrommarch26.myddns[.]com:7888, update-service.dynssl[.]com:7881

📨 #BEC Alert: We've identified a wave of Dual-Channel BEC attack designed to shift the conversation from corporate email to WhatsApp groups. Unlike in traditional campaigns that request for the victim's number, fraudsters instruct them to create a single-member group and share it via QR codes.